[cas-dev] Licenses incompatibilities betw mod_auth_cas and OpenSSL ?
Olivier Berger
olivier.berger at it-sudparis.eu
Mon Aug 11 05:26:16 EDT 2008
Le dimanche 10 août 2008 à 11:20 -0400, Phil Ames a écrit :
> Hi,
> I spoke with Matt and we are happy to include this OpenSSL provision in the mean time,
Excellent.
> but our long term plans for mod_auth_cas include
> using libcurl to do the ticket validation. This will remove OpenSSL
> code from mod_auth_cas itself.
That should simplify things from your standpoint for maintaining
mod_auth_cas.
I guess there are no other SSL libs/APIs in the apache framework to do
SSL certs verification, SSL communication, and the likes, which could be
used instead of adding another lib like libcurl ?
Now, about libcurl + openssl :
I've found the following document to explain the issues around SSL and
libcurl quite well (although it may be slightly outdated) :
http://curl.haxx.se/legal/distro-dilemma.html
So that move to libcurl may not change the licensing incompatibility
issue if linked with libcurl-openssl ;-)
> In the case of Debian, there exist two
> libcurl variants (libcurl-openssl and libcurl-gnutls). My assumption
> is that the interface to libcurl is the same for each variant, but the
> SSL provider behind the curtain changes.
I think I remmeber the ABI is not the same though.
> Would such a provision still
> need to be included? The libcurl license seems to be very permissive,
> so it is safely linked with OpenSSL,
Yes, but linking a GPL app to a libcurl (MIT : GPL compatible) compiled
to be linked with OpenSSL (OpenSSL : GPL incompatible) renders the whole
invalid : license compatibility is transitive.
> but I don't know if mod_auth_cas
> would still need the exception (transitive licensing?)
>
If it works allright with libcurl compiled --with-gnutls
--without-openssl (i.e. Debian's libcurl-gnutls) then everything is safe
and you don't require any exception clause to your copyright notice, I
guess.
> In any case, the exception will formally appear in the next release
> when some fixes to some open JIRA issues are merged with the code
> base.
>
OK, so I assume we (see :
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=470365 and expect a
Debian ITP soon) can prepare Debian packaging and have a valid path
forward : excellent.
> -Phil
>
Best regards,
--
Olivier BERGER <olivier.berger at it-sudparis.eu>
http://www-public.it-sudparis.eu/~berger_o/ - OpenPGP-Id: 1024D/6B829EEC
Ingénieur Recherche - Dept INF
Institut TELECOM, SudParis (http://www.it-sudparis.eu/), Evry (France)
More information about the cas-dev
mailing list