Re: TODO: GNU TLS

* August Zajonc (augustz(at)augustz(dot)com) wrote:
> On 12/29/06, Stephen Frost wrote:
> > In the case above, exim4 *can* provide an exception because it's the
> > *GPL* of *exim4* which is being violated by the advertising clause in
> > the *OpenSSL* license. Which exim4 upstream has *done*, and which can
> > be seen in their license (linked to previously in this thread).
>
> My question is whom is going to sue whom? And if so would they win? And if
> they win, will they win a crippling amount?
>
> Will the folks at exim sue? Not likely, they make free software that is
> DESIGNED to work with OpenSSL.

I don't see that anyone is all that terribly *likely* to sue. Even so,
it's best to follow the licenses under which we receive the rights to
distribute the software as best we can. I can't say if they chose to
sue if they'd win or not, I'd tend to doubt it based on such claims as
those you describe but that doesn't mean I'm really all that anxious to
actually find out for sure.

> "Exim can be built to support encrypted SMTP connections... Before you can do
> this, you must install the OpenSSL library, which Exim uses for this purpose."
>
> Will they win if they sue? Not likely, there are probably lots of long legal
> terms (like latches, estoppal) that can be used in a defense. You can't go and
> build software specifically designed to use something, and over the course of
> years dupe people into using it only to go, ta-da, busted for "additional GPL
> restrictions".

No, Exim may have been a poor choice as an example, there's other GPL
software which doesn't use OpenSSL directly but which does link against
libpq. Even so though, our goal is to follow the licenses as best we
can, not try to justify not following our understanding of the license
based on the likelihood of a successful suit.

> And even if you succeed in this, you're not going to win big bucks. Perhaps
> you can simply prevent people from using your software. Given that using your
> software in the form you distribute it requires openssl, and you've sued
> people for using openssl with it, it's likely *no one* is going to use your
> software. And if you continue to dupe people into using your software and then
> suing them, you'd run some legal risks yourself.

Unfortuantely, for many of us, just having to deal with a court at all
implies a 'big bucks' cost.

> I mean, the theory of this legal case that debian people build seems terrible
> to me!
>
> Any case with this many highly unlikely AND clauses and such horrible outcomes
> for everyone seems unlikely to happen AND be won AND result in significant harm.
>
> If you don't like the advertising clause of openssl that is fine, avoid using
> software that uses it etc etc. But I think the debian hype of various forms of
> legal jeopardy goes a bit far, and does smell a bit FUDish.

It'd only be jeopardy for Debian in any case... We'd just like to avoid
the possibility by following the licenses as best we understand them.
As for my personal feeling on the advertising clause, I'm not really a
fan of it but at the same time it doesn't bother me all that much. We
havn't got any choice if we want to use PostgreSQL w/ SSL though, do we?

> Fun to follow though. And if there is a nice implementation of GNUTLS that
> succeeds on the technical merits, no objection there either.

As I posted about elsewhere, there are features in GNUTLS which aren't
in OpenSSL, and vice-versa, along with claims of speed improvments from
one over the other depending on platform. Also as mentioned last time
this was brought up, GNUTLS is being used in quite a few different areas
of Debian and has proven to work quite reasonably.
(http://www.webservertalk.com/archive307-2006-4-1456230.html)

Thanks,

Stephen