Re: TODO: GNU TLS

On Sun, Dec 31, 2006 at 03:25:42PM +0100, Markus Schiltknecht wrote:
> b) The other features of Martijn's patch got completely overseen. Can we
> (can you Martijn?) break up the patch into smaller pieces and discuss
> single independent features, like querying for parameters of the SSL
> connection?

If I got a single ounce of feedback on them, sure. The only responses
have involved the licence so far. I won't deny some of the other
features were also controversial.

> In case of the advertising clause, which is very strong, IMO, I think
> most authors didn't want to be as strict as they made it sound in the
> license. Or did any of the OpenSSL or libjpeg projects ever try to sue
> somebody for not having mentioned them in their advertising materials?

Please read the OpenSSL-GPL FAQ. They themselves acknowledge it's a
problem, but claim they fall under the "operating system exception",
which is fine for everyone except the distributor of the operating
system.

http://www.openssl.org/support/faq.html#LEGAL2

They recommend that if you want to use OpenSSL, use a licence other
than the GPL.

Wikipedia also has more information about this.

http://en.wikipedia.org/wiki/OpenSSL

> You can ask the authors how they really meant it, probably they will
> change the wording or even remove the advertising clause entirely. Or
> probably they officially state how they meant their advertising clause
> to be interpreted. (I'm not aware of the OpenSSL project doing so. While
> the FSF states quite clearly that they don't consider such a restriction
> to be respectful to their GPL.)

The original authors have been asked and apparently can't be found or
don't care. I strongly suggest you read the openssl archives before
opening this can of worms. Note the authors involved are no longer part
of OpenSSL, they have another SSL library, so they're probably not
inclined to be nice.

> Following that 'better-safe-than-sorry' philosophy, one could ask if
> PostgreSQL shouldn't better include the acknowledgements of OpenSSL (and
> MIT Kerberos) in all of their advertising materials...

AIUI all compiled distributions of postgresql using openssl do actually
include such. For example the Windows Installer.

> I fully understand and support Debian's point of view and I'd wish more
> people would follow that spirit. We'd have much less cases to fight for
> in curt and generally live in a better world (TM).

We're in the bizarre situation were both Debian and the OpenSSL groups
beleive it is a problem, and postgresql does not. Quite odd.

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.