OpenSSL license exception in Debian

Steve Langasek steve.langasek at ubuntu.com
Wed Oct 20 19:01:08 UTC 2021 

Hi Bastian,

On Wed, Oct 20, 2021 at 02:38:51PM +0200, Bastian Germann wrote:
> https://help.ubuntu.com/community/OpenSSL links to your decision in 2013
> that you expect GPL packages which depend on OpenSSL to have a license
> exception.

> Debian FTP Master did not really announce it, but they have reconsidered
> this and now consider OpenSSL a system library and do not require an
> explicit OpenSSL license exception in GPL packages anymore; see
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972181#20

> I want to inform you about that because many packages have switched on
> OpenSSL after that decision and are not patched in Ubuntu to get rid of
> OpenSSL. One example is my package mtd-utils (1:2.1.2-2 and later) in
> hirsute and later Ubuntu releases.

> So maybe you want to reconsider your position on this matter or take
> action on some packages.

Thank you for the note.

Responding with some combination of TB member and Ubuntu Archive hats (where
the Ubuntu Archive team carries the day-to-day responsibility for ensuring
the packages in the Ubuntu archive are legally distributable):

I have always considered the argument that OpenSSL is a system library to be
legally specious.  GPLv2 contains language explicitly intended to preclude
this exception being used when the GPL software is bundled with an OS, and
historically, proprietary Unix vendors explicitly handled this by shipping
any GPL binaries they provided separate from their OS.

It is clear that several Linux distribution vendors have taken the legal
position that they can consider OpenSSL a "system library" under GPLv2, even
when the GPL software is being bundled as part of the OS.  This may or may
not be based on legal advice they received from their legal counsel, but in
any case, their legal counsel is not Canonical's legal counsel.  And, even
if we had legal advice that it was ok (where "ok" in legal terms == "we
probably won't lose a lawsuit"), as good members of the Free Software
community, we should also care about upstream's intent with respect to their
license, not just whether they will succeed in suing us.  While there are
some copyright holders who are clearly fine with their code being
distributed this way, it doesn't follow from a "plaintext" reading of the
GPL, it's not a universally held position, and we should not assume that
upstreams are ok with it.

Nevertheless, while I disagree with Debian's conclusion, we are not in a
position to be able to detect these potential license incompatibilities on
import from Debian; Ubuntu has always treated Debian as implicitly trusted,
and filtering imports based on a disagreement with Debian would require a
good deal of work that has not been done.

The good news is that we are switching to OpenSSL 3 in jammy, which has been
relicensed upstream and is undisputedly compatible with GPLv3 (and with
GPLv2+, which covers a lot of software, including mtd-utils).

For GPLv2, the question is open.  The FSF asserts that the Apache 2.0
license is not compatible with GPLv2, but their reasoning is grounded in
provisions of Apache 2.0 that are outside the scope of copyright law and do
not place any restrictions on exercising the rights extended by GPLv2
<https://www.gnu.org/licenses/license-list.en.html#apache2> and therefore I
think it's questionable whether this is an incompatibility.  (I'm not
willing at this point to make a definitive statement that I think it IS
compatible; I believe this should only happen in consultation with
Canonical's legal counsel.)

So the last release impacted by this is impish, which will cease to be a
supported release in 9 months no matter what - and if an upstream informed
us that our binaries were violations of their license (which would then also
be the case for Debian, Fedora, and others), we would have a path for
addressing this and ceasing the distribution of those binaries in a
reasonable timeframe.

So while I'm not happy that we are shipping binaries that we don't know we
have permission to ship, we're no worse off than other distributions in
terms of either legal exposure or respecting the wishes of upstreams; we
have a way of handling any cases where an upstream informs us that this is
definitively contrary to their wishes; and the problem as a whole goes away
in 9 months (modulo the outstanding GPLv2 question).

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                   https://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/technical-board/attachments/20211020/feddc2aa/attachment.sig>

More information about the technical-board mailing list