[sr-dev] Conflict between libcurl4-gnutls-dev and libcurl4-openssl-dev (Debian)

Tue Jun 23 15:40:37 CEST 2009

On 23-06 14:54, Iñaki Baz Castillo wrote:
> 2009/6/23 Iñaki Baz Castillo <ibc at aliax.net>:
> > If Debian wants to provide official SR packages, them they could
> > choose to use the GnuTLs version instead (by creating their own
> > "control" file).
> 
> ops, my mistake. The *already* compiled DEB packages don't require de
> -dev packages, of course, but just the runtime libraries (libcurl3 or
> libcurl3-gnutls).
> 
> Some questions:
> 
> - If the deb package is compiled with libcurl4-openssl-dev, could the
> deb package itself require libcurl3-gnutls instead of libcurl3? Would
> it work?

No, the binary package will depend on libcurl3-gnutls and libgnutls.

> - If there any licence issue if a DEB package requires libcurl3 (OpenSSL)?

The OpenSSL license contains a clause which, according to the FSF, is
incompatible with GPL. (The clause requires certain text to be present in all
material). Thus GPL software, such as SER/Kamailio/sip-router, build with
openssl is not GPL compatible anymore.

The solution suggested by the OpenSSL project is to add an exception to the
license which explicitly permits to use the sofware with OpenSSL. This kind of
change needs to be approved by all (c) holders. In our case we would need to
get the approval from *all* contributors to both projects, which is probably
not feasible. IANAL but this applies to the whole source tree, not just
selected modules that use openssl.

To me this looks like a catch-22 situation more than a real licensing
issue. The OpenSSL license requires that extra acknowledgement in all
documents and according to FSF this make the license more restrictive than
GPL itself.

So, a .deb package of ser/kamailio/sr build with OpenSSL is not GPL compatible
anymore and this violates the license of the project if such package is
distributed.

I seriously doubt that we could find a single (c)-owner in both projects who
would be opposed to adding the exception to the license, so in my opinion the
problem is purely procedural--it is difficult to make a list of all
contributors and approach them individually.

> - If there any licence issue if an *official* DEB package is compiled
> with libcurl4-openssl-dev instead of libcurl4-gnutls-dev?

Opinions differ on this, but Debian people think so. By distributing binary
packages of GPL software linked with openssl (and without the exception in the
license) they are afraid that they would violate the terms of GPL. Debian
probably wants to stay on the safe side, which is understandable given the
sheer volume of software they distribute.

  Jan.

PS: IANAL so do not trust a single word I just wrote.