openssl as a system library

Dave Walker davewalker at ubuntu.com
Wed May 1 10:25:17 UTC 2013


Hi,

I would like openssl to be considered a system library in Ubuntu.  As
a developer, it seems very clear to me that it is essentially treated
as such with it's penetration in packages probably as common as other
shared libraries.

I would suggest that an openssl derived libssl.so being included in
the default Launchpad buildd chroots substantiates this, along with
other core libraries.  In addition, I do not believe any Ubuntu media
avoids installing openssl by default.

One of the common bug and feature requests we get is squid to support
SSL[0][1].  We know that a significant volume of openssl users, take
the source package and make minimal modifications to rebuild it
locally, with openssl support.  Judging from the bug reports, this
also seems to affect ubuntu.com’s services that use SSL (ie, the
Ubuntu packages are not even fit for Ubuntu infrastructure).

I believe this to be both a usability and potentially more
importantly, a security issue as a large volume of users are being
compelled to use custom packages that does not benefit from the Main
archive security support it normally would.

An upstream exception has been sought, but due to lack of centralised
copyright handling - it has not been viable to get all the copyright
holders in agreement.

Additionally, work to support gnutls could also be invested - This is
making some progress, but has been slow.  As Ubuntu’s primary
intention is to be a distribution, we have not been able to justify
resources to work on this.

We are now seeing a similar issue with mongodb, and would ask for
clarification that openssl is considered a “system library”, and
therefore allow openssl support by-default, in packages that can make
use of it.  This would seem to be in the best interest of users.

This being said, as good Free Software advocates - I would like to
stipulate that every effort should be made to draw upstream copyright
holders to granting an OpenSSL exception, and this is a pragmatic
direction, whilst being faithful to Ubuntu’s free software
commitments.

I would like to draw contrast with other Linux distributions that
consider such matters.  One is distribution Fedora, where they seem to
specifically outline that they consider openssl to be a system
library[2].

[0] https://bugs.launchpad.net/ubuntu/+source/squid/+bug/16669
[1] https://bugs.launchpad.net/ubuntu/+source/squid3/+bug/1088971
[2] https://fedoraproject.org/wiki/Licensing:FAQ?rd=Licensing/FAQ#What.27s_the_deal_with_the_OpenSSL_license.3F

Thanks.

-- 
Kind Regards,

Dave Walker <Dave.Walker at canonical.com>
Engineering Manager,
Ubuntu Server



More information about the technical-board mailing list