XPost: linux.debian.devel
To: 1094969@bugs.debian.org

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------hB2gDK6PUsSMeSC6HMtr60zv
Content-Type: multipart/mixed; boundary="------------4Hcc5qDEKFhkrGCavbCDrXKa"

--------------4Hcc5qDEKFhkrGCavbCDrXKa
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

DQpPbiAxNC8wNC8yMDI1IDExOjE0IGFtLCBBbmRyZWFzIE1ldHpsZXIgd3JvdGU6DQo+IE9u IDIwMjUtMDQtMTMgQ2hyaXMgSG9mc3RhZWR0bGVyIDx6ZWhhQGRlYmlhbi5vcmc+IHdyb3Rl Og0KPj4gYnJpYW4gbS4gY2FybHNvbiAob25lIG9mIHRoZSBnaXQgdXBzdHJlYW0gY29weXJp Z2h0IGhvbGRlcnMpIGNsYWltcw0KPj4gaW4gQnVnICMxMDk0OTY5IHRoYXQgZ2l0IGNhbm5v dCBiZSBkaXN0cmlidXRlZCB3aGVuIGxpbmtlZCB3aXRoDQo+PiBPcGVuU1NMLiBJSVJDIHRo ZSBEZWJpYW4gcG9zaXRpb24gaXMgdG8gdXNlIHRoZSBzeXN0ZW0gbGlicmFyeQ0KPj4gZXhj ZXB0aW9uLg0KPj4gSW5kZWVkIG91ciAvdXNyL2xpYi9naXQtY29yZS9naXQtcmVtb3RlLWh0 dHBzIGxpbmtzIGFnYWluc3QNCj4+IGxpYnNzbC5zby4zLCBwcm9iYWJseSB2aWEgbGliY3Vy bC1nbnV0bHMuc28uNC4NCj4+IFRvIGF2b2lkIGludHJvZHVjaW5nIGRpc3Ryby13aWRlIGNo YW5nZXMgYXQgYSB0aW1lIHdoZXJlIHRoaXMgc2VlbXMNCj4+IGluYXBwcm9wcmlhdGUsIGFu IG9wdGlvbiBpcyB0byBkaXNhYmxlIGJ1aWxkaW5nIGdpdCB3aXRoIGxpYmN1cmwuDQo+PiBC ZWxvdyBpcyBhIHNpbXBsZSBwYXRjaCB0byBhY2NvbXBsaXNoIHRoaXMuIEJhcnJpbmcgYW55 IG5ldyBpbnNpZ2h0cw0KPj4gb3IgZmVlZGJhY2sgZnJvbSB0aGUgaW52b2x2ZWQgbWFpbnRh aW5lcnMsIHRoaXMgbWlnaHQgYmUgYSB3YXkgb3V0Lg0KPj4gSSBiZWxpZXZlIGFsbCByZWxl dmFudCBwZW9wbGUgYXJlIGluIENDOiwgYW5kIHRoZXkgY2FuIGZpZ3VyZSB0aGlzDQo+PiBv dXQuICBEZXRhaWxzIGNhbiBiZSBmb3VuZCBpbiB0aGUgYnVnLg0KPiBbLi4uXQ0KPg0KPiBI ZWxsbywNCj4NCj4gd2VsbCwgd2UgaGF2ZSBkZWNpZGVkIHRvIHVzZSB0aGUgc3lzdGVtIGxp YnJhcnkgZXhjZXB0aW9uIGJlY2F1c2Ugd2UNCj4gdGhvdWdodCB3ZSBoYWQgdGhlIHJpZ2h0 IHRvIHNvLCBub3QgYmVjYXVzZSB3ZSBob3BlZCB0aGF0IG5vIGNvcHlyaWdodA0KPiBob2xk ZXIgd291bGQgbm90aWNlLiBVbmRvaW5nIHRoaXMgZm9yIHNwZWNpZmljIHBhY2thZ2VzIHdo ZXJlIGENCj4gY29weXJpZ2h0IGhvbGRlcnMgdGVsbHMgdXMgaGUgZGlzYWdyZWVzIHVuZGVy bWluZXMgdGhpcyBwb3NpdGlvbi4gSW1obyB3ZQ0KPiBuZWVkIHRvIGVpdGhlciB3aXRoIHVz aW5nIHRoZSBleGNlcHRpb24gb3Igc29tZWJvZHkoVE0pIG5lZWRzIHRvIGRvIGENCj4gbGlj ZW5zZSBhbmFseXNpcyBvZiBvdXIgcGFja2FnZXMgYW5kIHdlIHRoZW4gbmVlZCB0byBpbXBs ZW1lbnQgY29kaW5nDQo+IGNoYW5nZXMgdG8gd2VlZCBvdXQgYW55IGFuZCBhbGwgR1BMPC0+ b3BlbnNzbCBsaW5rYWdlLg0KPg0KPiBQZXJzb25hbGx5IEkgZG91YnQgd2UgaGF2ZSB0aGUg bWFucG93ZXIgbm93YWRheXMgdG8gc3dpdGNoIGJhY2sgZnJvbQ0KPiBsaW5raW5nIGFnYWlu c3QgT3BlblNTTC4NCj4NCj4gY3UgQW5kcmVhcw0KPg0KRGlkbid0IE9wZW5TU0wgc3dpdGNo IGxpY2Vuc2UgdG8gQXBhY2hlIDIuMCBhbmQgbm93IGNvbXBhdGlibGUgd2l0aCBHUEw/IA0K V2hhdCBhbSBJIG1pc3NpbmcgaGVyZT8NCg==
--------------4Hcc5qDEKFhkrGCavbCDrXKa
Content-Type: application/pgp-keys; name="OpenPGP_0x8F53E0193B294B75.asc" Content-Disposition: attachment; filename="OpenPGP_0x8F53E0193B294B75.asc" Content-Description: OpenPGP public key
Content-Transfer-Encoding: quoted-printable

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsFNBF41S9ABEADELm+hJ5iCLke3NvzOH+cE8LvZ8ZLR/r296bpYxNpx08fXPlj3 8YeBErqKKvh6kGaOaUEUBCkDzKhqJxU/1T++2iRTUnhTqjS1hBte/IxPiIjcHFiA d69U+UAwGMEMpBGWNUd0VqKH3ZKd8eokztP1rML+nCyXId/Kfg5qZAoKCqRRqOpS fs31YRoxRk/OqSn81h2GfrxgBWGpFMMrtujfpUmJMx9Qm3JgVt39r2Hj2Ee1JLrq OP7S7Gm1a+rZOZwV0UtRucRiUzVn8otL7QR7udjYjccJUjdFRshgDV+2w5w40HZg cqEuTPqj1BxwPzkYIpLjQbdrLSOMzp7OVrEuomAntyoL6lOnlWV5+R9upC+6bGT7 GtOwhmd9iGPezgfpnM/BrJAvyQ4BN+nHj7/1aEECu0NN76hip+z9TRTw1mHQnpZa HUnT2pBPY+grwLi5QlvjOqBICtWPI6fSIT5kZj1tLPZwIed1Q5zxjlo1zbOzotJc GapvNHlc+o7jvlT5vrXzFoycsQOlLyZpU0tuzOTRalxyim7ZgKugiXF/er772G05 VKU0T+jnqL1Hc0sMKCJGafhX2/7ZD67CUM2gFmh9IQcouOBdSasOGHSAdTmukvsr D2oh2JlgLQh0hXPdXxei5CBPe27x+SncYQ1fj7drdHBqCcjKJH1++Zn8hwARAQAB zUJQcmF2ZWVuIEFyaW1icmF0aG9kaXlpbCAoUGlyYXRlKSA8cHJhdmVlbi5hcmlt YnJhdGhvZGl5aWxAcHVyaS5zbT7CwY4EEwEKADgWIQTTCGPiYCDlQ/RxmoOPU+AZ OylLdQUCZSE0dgIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCPU+AZOylL dZsQD/4/qPGQinCis0Bjby7ecWQsWhwJ7Wm4uUahHnNwC96MJJ/rBslvYD8ijr0A d8G2hSk8JQP2kMvjPzkxqoJsrGrY4fWVGILwGZRA3fHGJocef/F81e2zMVY00S9d pjDX5x7ALXUR5Pd4eMUER/wvaq7N7q/mA7XgGtERvQ1oaEwzYY2zdMBJetQWd5LV eXWs4e4eVn9sp8njNQYhwSgGOo01LmiTOXBivNpDvF0UpobV7W5u4SpfqPjo9ATw 1bIZxIG5wzk6GKx6RUpXYogYskNFu1qKXNyyWhfi+W46RqJfdSPcK3yYNvJ14KH4 Bir6i+7wYDTJ7WyWBAnHpQ+lgcP6cEdRchfQCJNe0u123Nk1c5idTsVBN3461Zyn MFtGM/FmCIduIj8yaonitW6ZOfxbX69RhUgCOGRDsc0zgubswf7dO1DSMVVa+A/K K0s2HR6fbWh1+66K6iuZkY7JDT2WgyJW7f7cBHDUUk9Wp+FIUW6DsFo2lnGB62gT 4TRgiNbJ9Oqr59ICovd3TdFmL78+4j17xv0KNAL5JNikjrW/C7ipYjwkPapto9zH jbVGg3Shw5/SQrkF2qTifj5FSO/lQdszPB4FlpaLxwvyVAgJIX3PEH9jIpZi061W hnuANJTUHZK/IpqL0zuIN4j24fHQV8oR69CESfIqDhtphnOxV801UHJhdmVlbiBB cmltYnJhdGhvZGl5aWwgKFBpcmF0ZSkgPHByYXZlZW5AZGViaWFuLm9yZz7CwY4E EwEKADgWIQTTCGPiYCDlQ/RxmoOPU+AZOylLdQUCXjVL0AIbAwULCQgHAgYVCgkI CwIEFgIDAQIeAQIXgAAKCRCPU+AZOylLdbO1D/wNbnj1FPNqGJOiKTvRwIzbF2M7 A6HefpIToTzG2sp1NWi1B3+1XjwwyFWbxu3Kk3YbCiRObTdp/Hgb3TOYHK6Fkjfv dUOaNxKHZABOSzM/BBDyUbuCntA1Qj7Joqb2ZyYWZwzQMPJV3In5zPFINXCr+AnL J8M1a2cGkiujSbX1Hoo9ch8ysgb857Z6tn+qiAZ1h3dQp/prqB5G9/fFBQSWBziP PipjdW5UMUs7XgMf8ev0rk8Ko0UBkVKlyrdzctJs11JdVDPWIpltXIQDGCdI0dJc x8xqp/5sbtPoh0HoLmVeiUdOJ2uE9ijK/t3GvZ4wv72/Md+ta0D4oWw1W+nqw19m QF1VKfje43ozddG476PCKldzkffjrW72NzRSSmKftapD0ycAuexkX0H4OB/sr1Yj a/uNUoPbtnmGapiY8B69cueVRmoeuaxASinzq0tWixTr2fUlzReqhEaweNML8wjJ ZpkEdi7xWQ47k+lr5Q8CK0djvCMC31UW2j1YkBzgYe+hBNqNNkTX3hJZELSGvZBJ vR/L6b8En93nnpS3kmlLZ6nkfQO7vyMOXA0bSlp7I019RS9fuhcZQJhCSlM21BcW iKEI6cRUvTzp9SwykkDZtlrtvWRhR/HocTe0vD5HZNsAIyz22WNNgFuQ2whLAKp7 +BkiOlumgQFNhVpbWc07UHJhdmVlbiBBcmltYnJhdGhvZGl5aWwgKFBpcmF0ZSkg PHByYXZlZW5Ab25lbmV0YmV5b25kLm9yZz7CwY4EEwEKADgWIQTTCGPiYCDlQ/Rx moOPU+AZOylLdQUCXjVMXQIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRCP U+AZOylLdUBlD/oD8/k8Tc9ZeisH0WhHKGliZvK9k2hD1OYmZJDWS+XhntbhkNwF dcKJ0SU0dnBXHatqFKSY6WQcmD3dWA8hXGyjhYJTogBvHBqwP8tMkiDqVjtOjMf5 THUbK87ICCcUNrVLykUYpLFZy+/SaS2cxzlwR+wekWZFK4r9kYbFSjnI3Gvcm27a 0j30J1rfNAl2hB6jNGW6XFHcp+yHzJtHll/4rVegLi4ZXWAxf/Cx00Xa0HG4AXkG f0ak+o9zLgEkL00wz4TKvSZVlik7qqzUIBkZUik6tD6LUaRMOeupMq5UFIS6/VkS lyO+lk5nh6Fak5egDt5SF7mCkuIL7wJTKJHFUpZBw7qkJUVEa6qho9TLxKagOfkY /GIXvZDlPeFSm9iTDXLa++u+JG8F2qLyeFMOU5ldOiX+e5vsXB3o+NqCi0VQnJwF DSFHb3lkCzcxfgwhfAJaDaAPm0xl2KpxxjxYzg38eqlZeln9Qy6KfEQhs32eOtb5 SpqGF9WsxaK8XDOfQre9bbf7MmDnoOJ1hhnzyD563jFPuu+bldlGQbfaoxm4lx6n RWeYUuuU+Mg+DxK/AdPstjg1htzUxk8Mpptuc8iVreUe9KFVtsGkyBfxCF6i0FRn /Vfgqz6YwnGPEV8JorpAqshBD4qFQ5uHRc/71CA/ZPJ+qRU31EyuiBJM/c7BTQRe NUvQARAAlQvZ2ADR6H9e/vpSa8sAd/lfoeJGU7V0n1jbfiB9pCjo9ttz6k1M/aKy pLRxG2IbA8eEZffgjATF6pLjvHR93yKCNTBSEgcT0mh+sFkNMaLLnLty2rW+nFDY 2OjRHr04xAAgCBOKFaKGR+1ndAiehDnbT9p1WUVfkTGvxwLFqN7LJV6tyEC0cQ/h ZoeQJitNWQtMLLgq1zlutnc9aS+Gz1SdSXdSYlpZmDkqGzvmP8mnw4cJfjhfx63s catL7oTg2B7y/ka2NXaG2y/6J1W2k9ahtdC/H79yDnPworem8LI1kf7SnDfaMQCM fZ//xvoBvGr0NxTpd7b2pOs7Kj17h614UY8Q3FyQTYrTdEvj1VUmW6Li35vH3vTn WJoPnzxcVH8JdUcE3nVvig3Ma2QYruJsON2FwIiFByEW9kWDj0xHkKZWqNsPr5i+ 93S57Swk+gJS3+uypAG6wYSwKqMScDLSZVdnBgIsAPQyQzk0WXHFlivjqqOrvJGf vhg4CAPVy2Lk+YT4tNamqkN9CqeW+/rizOqC+YsXTcnnuB5j5L7GVZ6wZoyD7OH1 yowkMRT0iv7ujQXZEVR85JKa6h3SGSQSpOrp9TTH2buHhK2yYUvGn8yyeCnQPsOt Fn0VtOENzUl+bo5A9HQml1nAXNxu91RV/AeJIWgnC5hBR1V8ZpsAEQEAAcLBdgQY AQoAIBYhBNMIY+JgIOVD9HGag49T4Bk7KUt1BQJeNUvQAhsMAAoJEI9T4Bk7KUt1 PAwP/1LAF1TeaiiB2CNVYfo4OXNKjoCtnSto2uIN/czok8LZ6IpzkokJSIgyLZXK DMcPzSSfPAFcF9+40N1MzKAuIjYGpIfiluZc+5ickbJACn1ibbkmDx5C4gCDAEcV aflG5D5d0wHpCwzmP1uMoSWiAQuBzYfOhguP44w41b56VHavMqgAIZiA6NLjW3ir OltFkbXMOY/J4K3y6+kytExBdwz7RRa0k6mbJ1nSqDalaL2NSNaBLIoq6Is6VXA/ HoTzkFcjh9Zit+07BxXfGw1THAJCcCKiJryOG5O4nrJiMBqPk9JT8Psp0d76nlcR pnEAiRWZwL9yOm+SlR4swMVrmb05sidTlfaqnrYwTwg00RvXK9VWEmcep59U+8Wi FMnlOBu33QHgteYvnh7RXx8pxH0Ezg3BSArMhKQjMY/ld8CnCGnRlKhQ0a2fHhmp RBonGsSX6fc9tSPJsnj9u6PhqjwvaiM5o0sYB63StncF7KK5SFekz/kNRqL+eWpa ExRz60YB1LTwCTlC/Mq+F5sc9RFjP19b+Hf91S4bkXPT39KjRKJxwwaU5wFpVdBs PoSjlkcW4VT3HTPG1jLNIfGUd6DFsCDb9TVvzOJwKDO5DWV2gGEAfBnkg/E+tj/t eqH7raGvM4iT2Pi/sG1uxuZR3Q4HH6Tv2w18Sz5hkvDv7f+1
=jZN2
-----END PGP PUBLIC KEY BLOCK-----

--------------4Hcc5qDEKFhkrGCavbCDrXKa--

--------------hB2gDK6PUsSMeSC6HMtr60zv--

-----BEGIN PGP SIGNATURE-----

wsF5BAABCAAjFiEE0whj4mAg5UP0cZqDj1PgGTspS3UFAmf8wuIFAwAAAAAACgkQj1PgGTspS3WB zBAApyOdE3Y7u7xElZ523pKZVj/i9mSmnPuWGXI/ueC3vbcslF7SimVJ1AIhRmUZK2hTS56mxpk7 udgfjijUqw3MWfBX9Tea6YzytKyN8+L5y1K7xzg1N7ChKla/1GnWoumPOZPy9LksyYAvKZPd5QwF m2KP97XFZxT+eCuuZ2dcAbWqDmbGJlIvq4V3mxQq4p0ZyOxpHHKYkm2OQs1J/7FazCQXI/4HxLos j7ZhIf6xEpZn9FqP6mQv3iGVFnT4b14k2xpIlg845cg0ayFqPG8pvB6o6fD9LhBGiKbI/xCGaP3X yCWHijjSd2fKYvw+IwijubJ1IwVtgSdUHn8g4Ig51O1002v9+HygNnWloINav/GD1HI3j/1fDh7j +jfzKUznIXy2UgvwY03QxTCTGy6zDMhK5gCMVKS5ASCRxCaSJxz2p8ydgUxujElC34EjXrIRwCBE fsSRWeTwZwwzn3i8RE2H8BwLA+8Soy32h5U6LX3N5J992/PAmZZKE60lTNq2QAkCP9ZDpRyktQ3s 4a7GbC5JM2bkKquoQmbwQsgsQEIOicwIRrRRsrLUrzAeT09ecovohxaZv8YE72o94WZZPKXfRSt8 hIvBKgS9RKYr0BcLkfiU8lr3Opgima/QWiGnoisutlfoNG1uHMGe2m5gG0FLMICbuIgu55Zew/8K oaI=
=h9CF
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel

Russ Allbery wrote:

I think the situation here is this dependency chain:

libcurl-gnutls -> libldap2 -> libssl

(There may be others; I didn't do a thorough check. Does anyone know if there's a tool that will recursively analyze a binary's NEEDED sections
and build a human-readable graph of the library dependencies?)

I see the following with "libtree -vvv" (output trimmed by hand to just
the paths to libcrypto or libssl):

/usr/lib/git-core/git-remote-https
├── libcurl-gnutls.so.4 [ld.so.conf]
│ ├── libldap.so.2 [ld.so.conf]
│ │ ├── libcrypto.so.3 [ld.so.conf]
│ │ ├── libssl.so.3 [ld.so.conf]
│ │ └── libsasl2.so.2 [ld.so.conf]
│ │ ├── libcrypto.so.3 [ld.so.conf]
│ ├── libssh2.so.1 [ld.so.conf]
│ │ ├── libcrypto.so.3 [ld.so.conf]

--
Robert Edmonds
edmonds@debian.org

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel, linux.debian.devel.release

"Chris" == Chris Hofstaedtler <zeha@debian.org> writes:

Chris> brian m. carlson (one of the git upstream copyright holders)
Chris> claims in Bug #1094969 that git cannot be distributed when
Chris> linked with OpenSSL. IIRC the Debian position is to use the
Chris> system library exception.


TL;DR: I think that an individual upstream copyright holder's
interpretation should be given less rather than more weight in
interpreting a license.
I think that Debian should adopt a project-wide interpretation of the
system library exception and apply it inconsistently. Allowing the
exception to be interpreted differently on different packages harms our
users and the free software community.

here is a longer proposal on how I would recommend approaching an issue
like this:

1) Debian maintainers have a lot of flexibility. If the Git maintainers

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel, linux.debian.devel.release

"Chris" == Chris Hofstaedtler <zeha@debian.org> writes:

Chris> brian m. carlson (one of the git upstream copyright holders)
Chris> claims in Bug #1094969 that git cannot be distributed when
Chris> linked with OpenSSL. IIRC the Debian position is to use the
Chris> system library exception.

[This was prematurely sent]

TL;DR: I think that an individual upstream copyright holder's
interpretation should be given less rather than more weight in
interpreting a license.
I think that Debian should adopt a project-wide interpretation of the
system library exception and apply it inconsistently. Allowing the
exception to be interpreted differently on different packages harms our
users and the free software community.

here is a longer proposal on how I would recommend approaching an issue
like this:

1) Debian maintainers have a lot of flexibility. If the Git maintainers
wish to change what they link with, they have that flexibility. I view
this more as "Upstream asked us to ship the software differently and we
decided to disagree." I do not think an NMU has this level of preference.


2) The people involved need to be comfortable with their legal
liability. If Debian were a legal entity this would be easy: we would
ask for legal review and make a decision after receiving it. Such a
decision would typically be made at a fairly high level as to whether a particular issue posed unacceptable legal risk. To the extent that any
party is concerned about their legal liability, please discuss in private--probably by first reaching out to the DPL and asking how to
engage with lawyers. Do not discuss the specifics of the situation
except in private mail (not copying a bug) with the lawyers.

3) Generally, copyright holders trying to interpret a license after the
fact should be given less weight rather than more. After all the
copyright holder could have chosen a different license or published a clarification along with their release. Clearly if it turns out that
the system library exception does apply in this situation, but Git wants
it not to for git-remote-https, then effectly they copyright holders
would be creating a fork of GPL-2 (gpl-2-restrictive-system-library)
that is GPL 2 incompatible.
Allowing copyright holders to do that after the fact--especially when
they selectivly try to enforce that interpretation against some parties
but not others--serves the community poorly.


4) We should interpret the system library exception consistently. If we
believe it allows us to link with openssl, we should stick to that
position.
I think it is cleare that software freedom and our users are served by
letting free software link with Openssl. (I understand some parties
argue that the consequences of interpreting the system library exception
in a manner that permits that linking are worse than the consequences
of avoiding GPL-2 OpenSSL combinations.)
However our position does generally seem to be that we interpret the
system library exception as allowing that linking.
If our interpretation is challenged, we should respond the same way we
would to any other legal challenge to software freedom.
We should seek out people who have aligned interests and try and find
common cause. In this instance I'd definitely suggest the DPL reach out
to Canonical and Redhat.

5) If a license is being interpreted in a manner that discriminates
against Linux distributions--it allows everyone but Linux distributions
to distribute some combination--I think that license discriminates
against a kind of use/field of endeavor. In other words, such a license
would not be DFSG free.

--Sam

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQSj2jRwbAdKzGY/4uAsbEw8qDeGdAUCZ/0/sgAKCRAsbEw8qDeG dFZFAQCTEMBuKj6WjkCiLk3l2nSlnHfVqtu5DG8eR+G5gDIOOQD/Ur0qRVB5C/Ei NJaqxEt6tvNiurhipE/ST0PAJ9ygIgA=
=pLXN
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel

Richard Laager <rlaager@debian.org> writes:

As I have said before: I think that computer programmers have a
tendency to treat licenses as if they are self-executing (and precise
like software).

Agreed, this is often a challenge when technical people discuss legal
matters, and it helps to keep this in mind.

From what I can tell, the legal system does not operate that way, and
actual lawyers make distinctions based on harm/damages or lack
thereof.

My experience with lawyers is that circumstances, expectations and
intentions are more relevant than damages. Damages are more relevant
when assessing compensation, not when deciding who is right.

If someone has a claim to something and reasonable can expect certain
things in a situation, and that is violated, there is a legal case even
if you can make a technical argument that the person is wrong citing
various paragraphs in return. This is often frustrating for technical
people, feeling they are "right" and that circumstances doesn't matter.

I think Debian should take the position that Apache-2.0 and
GPL-2.0-only are compatible in practice.

I don't think that is a good position to be in. I believe it would be
better to work with rights holders to work out problems rather than to
ignore requests and throw legal arguments at them.

/Simon

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmf93QAUHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFopB0AP0Zoc1SI8Xw 8riIcX33lDVZ/rbiGBst4uI4FhUrNLjtAwEA1iSfJQm2XPltGT5VbuUj0GktDqr3 G7E6C399CoUE0Qg=
=CkwG
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel

Hi,

On Mon, 2025-04-14 at 16:18 -0500, Richard Laager wrote:

On 2025-04-14 11:10, Russ Allbery wrote:

I do find it fairly hard to understand the logic behind a position that somehow our git-remote-https binary as distributed is a derived work of OpenSSL and thus violates the GPLv2 license based on the nature of this specific dependency chain, but then I was always dubious of the legal merits of FSF's extremely aggressive and maximalist position on the definition of derived works in the context of the GPLv2 license.

[...]

Now that OpenSSL is licensed under Apache-2.0, everyone agrees that
GPL-3.0 and Apache-2.0 are compatible. As a result, anything that is GPL-3.0-only or GPL-3.0-and-later or GPL-2.0-or-later (or
GPL-1.0-or-later) is fine. That probably covers most things.

The remaining problem space is thus GPL-2.0-only, which is at issue
here. The question is, are GPL-2.0-only and Apache-2.0 compatible? The
FSF says no. As far as I can tell, the Apache Software Foundation
doesn't necessarily agree with the FSF about this incompatibility, but respects their position on the issue. [1]

No, that is not the core problem. Debian, like most other binary
distributions, heavily relies on the system library exception in many,
many places. OpenSSL is just one instance, but there is also, for
example, libstdc++ which are not available under GPL-2-compatible
terms.

Note that GPL-2 says the following:

+---
| For an executable work, complete source
| code means all the source code for all modules it contains, plus any
| associated interface definition files, plus the scripts used to
| control compilation and installation of the executable.
+---

Now parts of build scripts of packages that curl depends on are GPL-3- or-later, for example:

- libnghttp2-14: m4/ax_python_devel.m4
- libnghttp3-9: config.guess, config.sub
- libc6: scripts/config.guess, scripts/config.sub
- curl itself: config.guess, config.sub

So these libraries cannot be distributed under GPL-2 unless someone
changes the build system. (Note that common exceptions only apply for proprietary licenses, but don't allow to fulfill the GPL-2
requirements.)

(As an observation: GnuTLS is also not distributable under GPL-2-
compatible terms as "[...], build system, [...] are licenced under the
GNU General Public License version 3+". So using it instead of OpenSSL
would not work either.)

Header files, linker scripts, ... from GCC might also fall under this
if the exception for compilers is not valid. Arguably GNU make too as
it "control[s] compilation and installation of the executable". So Git
would need to use a different compiler and make implementation. One can continue with the rest of the operating system like shells.

All distributions thus rely on the system library exception to be able
to distribute most GPL-2-only[1] or GPL-3-only[2] code at all...

As Git doesn't seem any different, I think we should close this bug.

If we think the system library exception is not valid, then we probably
have to remove lots of software and switch core libraries (e.g., use
clang, libc++ instead of gcc).

Ansgar

[1]: Even ignoring fun things like build scripts due to libstdc++ and
similar.
[2]: GPL-3 has the same problems, just in the other direction. Consider
for example /usr/include/linux/*.h which gets indirectly included in
many places.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel

On 2025-04-15 at 05:58:42, Ansgar 🙀 wrote:

Hi,

Hi,

As Git doesn't seem any different, I think we should close this bug.

I agree with you that we should close the bug, which I did a few minutes
ago. I provided slightly different reasons in the close message, but I
agree this would cause a lot of problems which we'd want to avoid and
it's not in the interests of the project to pursue it further.

My apologies for the needless controversy.
--
brian m. carlson (they/them)
Toronto, Ontario, CA

-----BEGIN PGP SIGNATURE-----

wr0EABYKAG8Fgmf+XooJEHwMSWKIh6KBRxQAAAAAAB4AIHNhbHRAbm90YXRpb25z LnNlcXVvaWEtcGdwLm9yZ+d8/Vkq5WIHvn8UEwk1yi8O8lkwTDoaFEg+qSKUOmJx FiEECCzmip28ZfuD0cORfAxJYoiHooEAAOBSAP47/m4DgZuiRslChr4km+Je3Kjs 5tpfAJHAdhHf7WbtAgD+IgT75XZkU8/G7fFk+xr7ttqUDk2m2CROJEHcQTwPlQU=
=s79i
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

XPost: linux.debian.devel

Ansgar 🙀 <ansgar@debian.org> writes:

No, that is not the core problem. Debian, like most other binary distributions, heavily relies on the system library exception in many,
many places.

I believe that is a fairly new (~5 years?) approach within Debian.
Debian used to treat OpenSSL incompatible with GPLv2 and that all code
that link to OpenSSL has to have a GPL+OpenSSL exception. Does anyone
recall how and when this decision was made?

Licensing wrt to libcurl and OpenSSL has been discussed before:

https://lists.debian.org/debian-legal/2004/08/msg00221.html

/Simon

--=-=-Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQNoBAEWCAMQFiEEo8ychwudMQq61M8vUXIrCP5HRaIFAmf+YV4UHHNpbW9uQGpv c2Vmc3Nvbi5vcmfCHCYAmDMEXJLOtBYJKwYBBAHaRw8BAQdACIcrZIvhrxDBkK9f V+QlTmXxo2naObDuGtw58YaxlOu0JVNpbW9uIEpvc2Vmc3NvbiA8c2ltb25Aam9z ZWZzc29uLm9yZz6IlgQTFggAPgIbAwULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgBYh BLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XQkBQkNZGbwAAoJENc89jjFPAa+BtIA /iR73CfBurG9y8pASh3cbGOMHpDZfMAtosu6jbpO69GHAP4p7l57d+iVty2VQMsx +3TCSAvZkpr4P/FuTzZ8JZe8BrgzBFySz4EWCSsGAQQB2kcPAQEHQOxTCIOaeXAx I2hIX4HK9bQTpNVei708oNr1Klm8qCGKiPUEGBYIACYCGwIWIQSx0r0Tdb7LeEz0 +MTXPPY4xTwGvgUCZ9F0SgUJDWRmSQCBdiAEGRYIAB0WIQSjzJyHC50xCrrUzy9R cisI/kdFogUCXJLPgQAKCRBRcisI/kdFoqdMAQCgH45aseZgIrwKOvUOA9QfsmeE 8GZHYNuFHmM9FEQS6AD6A4x5aYvoY6lo98pgtw2HPDhmcCXFItjXCrV4A0GmJA4J ENc89jjFPAa+wUUBAO64fbZek6FPlRK0DrlWsrjCXuLi6PUxyzCAY6lG2nhUAQC6 qobB9mkZlZ0qihy1x4JRtflqFcqqT9n7iUZkCDIiDbg4BFySz2oSCisGAQQBl1UB BQEBB0AxlRumDW6nZY7A+VCfek9VpEx6PJmdJyYPt3lNHMd6HAMBCAeIfgQYFggA JgIbDBYhBLHSvRN1vst4TPT4xNc89jjFPAa+BQJn0XTSBQkNZGboAAoJENc89jjF PAa+0M0BAPPRq73kLnHYNDMniVBOzUdi2XeF32idjEWWfjvyIJUOAP4wZ+ALxIeh is3Uw2BzGZE6ttXQ2Q+DeCJO3TPpIqaXDAAKCRBRcisI/kdFourIAQCeutbjV7nU q5wnMUP0Gj6AZBc7UPXTrmn/gPpXVkFsKwD+N6P6JkYh9ezqGe9WUIXzyn7QegiY tRyZQwPJ006EpQ8=OWK4
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)