open-iscsi new merge and licensing: OpenSSL + SHA3-256 , SHA256 , SHA1

Rafael David Tinoco rafaeldtinoco at
Sun May 17 04:43:59 UTC 2020

Hello list,

I have been working in merging open-iscsi package:

with open-iscsi project upstream:

and also cleaning up the open-iscsi package a bit (thus will have to
give special attention to hooks and debian-installer to check if there
are no regressions).

But this is no the important part, apart from the FYIO so far, the
important part is that Debian maintainer, when running lintian, has
found the OpenSSL being linked to GPL code:

Turns out upstream developers are using OpenSSL for the new CHAP
authentication mechanisms. There is no support for gnu-tls nor libnss so

With all that said, I would like to know IF adding the OpenSSL
disclaimer + GPL w/ OpenSSL disclaimer in the upstream license would be
"good enough" for Ubuntu to allow the features, like stated here:

Hi @rickysarraf -- I disagree that this dependency was created with
recent changes -- open-iscsi depended on openssl before that, if I
understand correctly. The change you reference just required a newer
version of SSL. @cleech , please correct me if I'm wrong.

I know virtually nothing about this code, since Chris made these
changes. After looking at this reference I found, I believe adding a
disclaimer to our license might be a good enough work around. I also
have no objections to changing to a different encryption package, though
openssl does seem to be the best.

I'm personally not worried about this. I think people have better things
to do than to rip off open-iscsi/openssl code. But I'm also not a lawyer.

and defended here:

I know Fedora has taken the position that OpenSSL is a system library as
defined by the GPL, which is probably why I didn't run into issues with
license check tools when I added the OpenSSL code.

I'd consider a patch to disable OpenSSL use, but our build isn't in the
best shape for those types of options right now. I'd be happier to add
an OpenSSL exemption if there was a standard form that would keep other
distros happy.

INDEPENDENTLY of this discussion, I have already prepared a patch
removing the openssl need and restoring MD5 only behavior, but keeping
the new authentication logic, here:

It is very likely that I'll have to use this for Debian package, but I
was wondering if we should consider restoring OpenSSL linking and
features for Ubuntu.

I'm really not a licensing person, so for me this is a ok-ok situation,
no matter the decision. Could someone help me taking that decision ?

Thanks for reading so far.



More information about the ubuntu-server mailing list