mod_security stuff

Sat Nov 3 01:25:25 UTC 2007

Hello.  I blogged this one so you can pick up the gist of it below. 
Otherwise skip the link, read the e-mail.

http://blackfiber.wordpress.com/2007/11/02/cant-redistribute-mod_security-binaries/

The long and short of this is that mod_security has a license conflict 
with Apache in that the source is all GPL, but when compiled against 
Apache license (APL) headers it becomes a derivative work of Apache 
licensed sources (APL headers + GPL source files => compiler => output).

Problem is you can't distribute the output of the GPL source under APL; 
you can't distribute the output of the APL source under GPL.  A more 
farther reaching problem is that some other modules (I've seen mod_ssl 
pointed out) link with GPL code or contain GPL code and reach the same 
conflict (but nobody cares), at least according to comments on Lauchpad 
bug #19832.

What we have for options as a whole comes down to two things:

  - Convince the Apache developers to relicense the Apache headers
    related to module API to MIT*, so that anyone can distribute any
    Apache module under any license in source or binary form.

  - Use the known Apache module API to re-write the Apache headers from
    scratch under MIT license,

In either case, closed source modules also become possible.  Anyone 
closing a GPL'd or APL'd module (mainly my concern is Breach closing 
mod_security) might cause an XFree86/Xorg style fiasco, where someone 
just picks off the latest dev sources and picks the project up full open 
source; then again maybe nobody cares except a few people that can't do 
so (remember, Xorg is half of XFree86's team, the talent and time were 
there already).

In the case of mod_security, Breach intentionally created the conflict 
itself for undisclosed business reasons; cleaning this up will irritate 
Breach Security.  In the case of Apache Software Foundation, relicensing 
the headers may not align to their philosophical view of how Apache 
modules should be licensed; releasing an Apache header rewrite to 
circumvent their strategic licensing will irritate them as well.

mod_security is extremely useful.  Ideally one of a number of things 
happens:

  * The license issue gets solved and Breach takes it as it comes,
    continuing their support business model.  If the end user can't
    compile from source he can't configure mod_security; I want it
    PACKAGED so I don't have to manually track SECURITY FIXES.  I have no
    qualms with Breach themselves and actually this is probably the best
    scenario.

  * Licensing issue does get solved, but Breach freaks out and retaliates
    via closing the mod_security source.  Someone snatches up the latest
    development branch, and the Apache Software Foundation continues
    developing their fork as an official Apache subproject.  Breach sees
    the error in judgment and winds up supporting the official Apache
    distributable as it branches farther away from theirs, and eventually
    supplies developers and code to re-merge with the new project.

  * License issue does not get solved, and the Apache foundation creates
    a competing module to distribute with Apache HTTP Server's core
    distribution.  (I'm tempted, worst case scenario)

Of course we don't live in an ideal world so a lot of stuff that would 
be great probably won't happen.  Still, I'm putting the idea out there 
for comment.

*BSD sits on unstable legal grounds as per random analysis brought up by 
people who seem to have just figured this out for themselves from time 
to time.  MIT does the same thing people like to think BSD does; I like 
to avoid the whole dispute by just saying MIT.

-- 
Bring back the Firefox plushy!
http://digg.com/linux_unix/Is_the_Firefox_plush_gone_for_good
https://bugzilla.mozilla.org/show_bug.cgi?id=322367