John Richard Moser
nigelenki at comcast.net
Sat Nov 3 01:25:25 UTC 2007
Hello. I blogged this one so you can pick up the gist of it below.
Otherwise skip the link, read the e-mail.
The long and short of this is that mod_security has a license conflict
with Apache in that the source is all GPL, but when compiled against
Apache license (APL) headers it becomes a derivative work of Apache
licensed sources (APL headers + GPL source files => compiler => output).
Problem is you can't distribute the output of the GPL source under APL;
you can't distribute the output of the APL source under GPL. A more
farther reaching problem is that some other modules (I've seen mod_ssl
pointed out) link with GPL code or contain GPL code and reach the same
conflict (but nobody cares), at least according to comments on Lauchpad
What we have for options as a whole comes down to two things:
- Convince the Apache developers to relicense the Apache headers
related to module API to MIT*, so that anyone can distribute any
Apache module under any license in source or binary form.
- Use the known Apache module API to re-write the Apache headers from
scratch under MIT license,
In either case, closed source modules also become possible. Anyone
closing a GPL'd or APL'd module (mainly my concern is Breach closing
mod_security) might cause an XFree86/Xorg style fiasco, where someone
just picks off the latest dev sources and picks the project up full open
source; then again maybe nobody cares except a few people that can't do
so (remember, Xorg is half of XFree86's team, the talent and time were
In the case of mod_security, Breach intentionally created the conflict
itself for undisclosed business reasons; cleaning this up will irritate
Breach Security. In the case of Apache Software Foundation, relicensing
the headers may not align to their philosophical view of how Apache
modules should be licensed; releasing an Apache header rewrite to
circumvent their strategic licensing will irritate them as well.
mod_security is extremely useful. Ideally one of a number of things
* The license issue gets solved and Breach takes it as it comes,
continuing their support business model. If the end user can't
compile from source he can't configure mod_security; I want it
PACKAGED so I don't have to manually track SECURITY FIXES. I have no
qualms with Breach themselves and actually this is probably the best
* Licensing issue does get solved, but Breach freaks out and retaliates
via closing the mod_security source. Someone snatches up the latest
development branch, and the Apache Software Foundation continues
developing their fork as an official Apache subproject. Breach sees
the error in judgment and winds up supporting the official Apache
distributable as it branches farther away from theirs, and eventually
supplies developers and code to re-merge with the new project.
* License issue does not get solved, and the Apache foundation creates
a competing module to distribute with Apache HTTP Server's core
distribution. (I'm tempted, worst case scenario)
Of course we don't live in an ideal world so a lot of stuff that would
be great probably won't happen. Still, I'm putting the idea out there
*BSD sits on unstable legal grounds as per random analysis brought up by
people who seem to have just figured this out for themselves from time
to time. MIT does the same thing people like to think BSD does; I like
to avoid the whole dispute by just saying MIT.
Bring back the Firefox plushy!
More information about the Ubuntu-devel-discuss