[cas-dev] Licenses incompatibilities betw mod_auth_cas and OpenSSL ?

Sun Aug 10 11:20:38 EDT 2008

Hi,
I spoke with Matt and we are happy to include this OpenSSL provision
in the mean time, but our long term plans for mod_auth_cas include
using libcurl to do the ticket validation.  This will remove OpenSSL
code from mod_auth_cas itself.  In the case of Debian, there exist two
libcurl variants (libcurl-openssl and libcurl-gnutls).  My assumption
is that the interface to libcurl is the same for each variant, but the
SSL provider behind the curtain changes.  Would such a provision still
need to be included?  The libcurl license seems to be very permissive,
so it is safely linked with OpenSSL, but I don't know if mod_auth_cas
would still need the exception (transitive licensing?)

In any case, the exception will formally appear in the next release
when some fixes to some open JIRA issues are merged with the code
base.

-Phil

On Fri, Aug 8, 2008 at 7:57 AM, Olivier Berger
<olivier.berger at it-sudparis.eu> wrote:
> Le jeudi 07 août 2008 à 20:57 +0200, Michele Baldessari a écrit :
>> Hi Matt et all,
>>
>> On Thu, 2008-08-07 at 16:24 +0200, Olivier Berger wrote:
>> > Le jeudi 07 août 2008 à 07:10 -0700, Patrick Berry a écrit :
>> > > Debian includes openssl in utils.  I'm not familiar with the conflict
>> > > between GPL and OpenSSL, but it they include it, I'm thinking it would
>> > > be okay to link against it.
>> > >
>> >
>> > The problem is not to link against it in general, but to link a *GPL
>> > program* against it.
>> >
>> > That's the case for mod-auth_cas, which is GPL V3.
>> >
>> > More details about the incompatibilities here :
>> > http://www.gnome.org/~markmc/openssl-and-the-gpl.html
>> >
>> > So yes, openssl is in Debian, so one may build mod-auth_cas on his/her
>> > machine, but redistribution of a package may not be possible by
>> > Debian :(
>>
>> in order to redistribute a binary GPL package which links to OpenSSL you
>> have to add an exemption like the following [1]:
>
> SNIP
>
>> This unless you're willing (and have the right) to switch to a license
>> that isn't conflicting with OpenSSL's.
>>
>> hth,
>> Michele
>>
>
> Another alternative may be to link against an OpenSSL-like lib under a
> GPL-compatible license, like GNU-TLS
> (http://www.gnu.org/software/gnutls/). There should be some
> compatibility layer I guess :
> http://www.gnu.org/software/gnutls/manual/html_node/Compatibility-with-the-OpenSSL-library.html
>
> My 2 cents,
> --
> Olivier BERGER <olivier.berger at it-sudparis.eu>
> http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
> Ingénieur Recherche - Dept INF
> Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
>
> _______________________________________________
> cas-dev mailing list
> cas-dev at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas-dev
>