libgit2 switch from mbedTLS to OpenSSL

Steve Langasek steve.langasek at ubuntu.com
Fri Jul 1 19:22:29 UTC 2022 

On Thu, Jun 30, 2022 at 04:48:43AM -0700, Simon Chopin wrote:
> Quoting Heinrich Schuchardt (2022-06-29 12:56:57)
> > On 6/29/22 10:33, Simon Chopin wrote:
> > > As part of our efforts to support the Rust toolchain in main, we need to
> > > have libgit2 in main (dependency of cargo). However, it currently links
> > > against mbedTLS for its HTTPS backend rather than OpenSSL, for licensing
> > > reasons IIUC. Those reasons would now be invalid with the new OpenSSL
> > > 3.0 licensing.

> > > I'd like to switch it back to OpenSSL to avoid pulling yet another TLS
> > > implementation in main, however I'm a bit fuzzy whether this would
> > > constitute a breaking change for the libgit2 package. The libgit2
> > > library does not expose anything from its crypto implem as part of its
> > > API, nor does it re-export any of their symbols (assuming I understand
> > > the output of readelf -s correctly).

> > > Could someone confirm that this does not represent a breaking change?

> > Libgit2 is licensed under GPLv2 which is incompatible with the Apache v2
> > license of OpenSSL 3.0 (see
> > https://www.gnu.org/licenses/license-list.html.en).

> > But a "Linking Exception" is present in the COPYRIGHT file of libgit2.
> > Please, recheck if that exception is enough for your use case.

> Looking closer at the linking exception, I think we're good since it is
> rather broad.

In addition, please see
https://lists.ubuntu.com/archives/technical-board/2021-October/002587.html
where I lay out a different case for why GPLv2 code linking to OpenSSL 3
(and Apache 2.0-licensed code in general) in Ubuntu is acceptable.

We are not blocking GPLv2 packages from linking to libssl3 in Ubuntu.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                   https://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/ubuntu-devel/attachments/20220701/36fc24e7/attachment.sig>

More information about the ubuntu-devel mailing list