Re: TODO: GNU TLS

Hello,

What is the consideration here? I read the thread and it appears that
OpenSSL is not compatible with GPL? But we don't care about that right?
The OpenSSL looks pretty BSDish to me, expect the advertising clause (is
that what caused XFree86.org to fork?).

Sincerely,

Joshua D. Drake

--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

* Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> What is the consideration here? I read the thread and it appears that
> OpenSSL is not compatible with GPL? But we don't care about that right?
> The OpenSSL looks pretty BSDish to me, expect the advertising clause (is
> that what caused XFree86.org to fork?).

OpenSSL isn't compatible with the GPL. We do care because GPL
applications link against libpq and therefore can end up linking against
OpenSSL. I don't believe it was the OpenSSL advertising clause that
caused the XFree86.org fork. My vaugue recollection is that XFree86
changed their license to include something like an advertising clause
and that's what cause the split.

Thanks,

Stephen

Joshua D. Drake wrote:
> Hello,
>
> What is the consideration here? I read the thread and it appears that
> OpenSSL is not compatible with GPL? But we don't care about that right?
> The OpenSSL looks pretty BSDish to me, expect the advertising clause (is
> that what caused XFree86.org to fork?).

Folks, please restate the topic in the email body, rather than requiring
people to magically remember the subject.

--
Bruce Momjian bruce(at)momjian(dot)us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

On Thu, 2006-12-28 at 13:01 -0500, Stephen Frost wrote:
> * Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> > What is the consideration here? I read the thread and it appears that
> > OpenSSL is not compatible with GPL? But we don't care about that right?
> > The OpenSSL looks pretty BSDish to me, expect the advertising clause (is
> > that what caused XFree86.org to fork?).
>
> OpenSSL isn't compatible with the GPL.

The original discussion stated that well placed attorneys in the market
feel that the FSF is trying to reach beyond the hands of god on this one
and that we don't need to worry about it (my words, for actual quote
read thread ;)).

> We do care because GPL
> applications link against libpq and therefore can end up linking against
> OpenSSL. \

Our concern is whether PostgreSQL is legally linked, not if something
else is. /me is trying to think very hard of a program that is GPL that
links to to PostgreSQL that would have a problem....

> I don't believe it was the OpenSSL advertising clause that
> caused the XFree86.org fork. My vaugue recollection is that XFree86
> changed their license to include something like an advertising clause
> and that's what cause the split.

That's what I meant, that Xfree86.org added an advertising clause which
caused the split.

Sincerely,

Joshua D. Drake

>
> Thanks,
>
> Stephen
--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

On Thu, 2006-12-28 at 13:02 -0500, Bruce Momjian wrote:
> Joshua D. Drake wrote:
> > Hello,
> >
> > What is the consideration here? I read the thread and it appears that
> > OpenSSL is not compatible with GPL? But we don't care about that right?
> > The OpenSSL looks pretty BSDish to me, expect the advertising clause (is
> > that what caused XFree86.org to fork?).
>
> Folks, please restate the topic in the email body, rather than requiring
> people to magically remember the subject.

http://archives.postgresql.org/pgsql-patches/2006-05/msg00040.php

Joshua D. Drake

--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

* Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> On Thu, 2006-12-28 at 13:01 -0500, Stephen Frost wrote:
> > OpenSSL isn't compatible with the GPL.
>
> The original discussion stated that well placed attorneys in the market
> feel that the FSF is trying to reach beyond the hands of god on this one
> and that we don't need to worry about it (my words, for actual quote
> read thread ;)).

Yeah, that's nice.

> > We do care because GPL
> > applications link against libpq and therefore can end up linking against
> > OpenSSL. \
>
> Our concern is whether PostgreSQL is legally linked, not if something
> else is. /me is trying to think very hard of a program that is GPL that
> links to to PostgreSQL that would have a problem....

Looking at it from the point of view that psql if fine and therefore
there isn't a problem is *very* short-sighted.

Some of the packages currently in Debian/unstable which are licensed
under the GPL and linked against libpq4 (a few of which have already
provided exceptions for linking against OpenSSL):

amarok
http://packages.debian.org/changelogs/pool/main/a/amarok/current/copyright
aolserver4-nspostgres
http://packages.debian.org/changelogs/pool/main/a/aolserver4-nspostgres/current/copyright
asterisk (which has provided an OpenSSL exception)
http://packages.debian.org/changelogs/pool/main/a/asterisk/current/copyright
bacula (which has provided an OpenSSL exception)
http://packages.debian.org/changelogs/pool/main/b/bacula/current/copyright
bandwidthd
http://packages.debian.org/changelogs/pool/main/b/bandwidthd/current/copyright
courier
http://packages.debian.org/changelogs/pool/main/c/courier/current/copyright
cvm
http://packages.debian.org/changelogs/pool/main/c/cvm/current/copyright
cvsnt
http://packages.debian.org/changelogs/pool/main/c/cvsnt/current/copyright
cyphesis-cpp
http://packages.debian.org/changelogs/pool/main/c/cyphesis-cpp/current/copyright
exim4 (which has provided an OpenSSL exception)
http://packages.debian.org/changelogs/pool/main/e/exim4/current/copyright
gambas
http://packages.debian.org/changelogs/pool/main/g/gambas/current/copyright
gnokii
http://packages.debian.org/changelogs/pool/main/g/gnokii/current/copyright
gnugk (which has provided an OpenSSL exception)
http://packages.debian.org/changelogs/pool/main/g/gnugk/current/copyright
gnustep-dl2
http://packages.debian.org/changelogs/pool/main/g/gnustep-dl2/current/copyright
gphotocoll
http://packages.debian.org/changelogs/pool/main/g/gphotocoll/current/copyright
grass
http://packages.debian.org/changelogs/pool/main/g/grass/current/copyright
guile-pg
http://packages.debian.org/changelogs/pool/main/g/guile-pg/current/copyright
guile-simplesql
http://packages.debian.org/changelogs/pool/main/g/guile-simplesql/current/copyright
jabberd2
http://packages.debian.org/changelogs/pool/main/j/jabberd2/current/copyright
libdbd-pg-perl
http://packages.debian.org/changelogs/pool/main/libd/libdbd-pg-perl/current/copyright
postgis
http://packages.debian.org/changelogs/pool/main/p/postgis/current/copyright

And quite a few others, I'm sure, I just got tired of looking.

Thanks,

Stephen

> Some of the packages currently in Debian/unstable which are licensed
> under the GPL and linked against libpq4 (a few of which have already
> provided exceptions for linking against OpenSSL):

Sounds to me like the list below needs to add an OpenSSL exception and
that PostgreSQL needs to make mention in the docs somewhere of the
potential issue.

Sincerely,

Joshua D. Drake

>
> amarok
> http://packages.debian.org/changelogs/pool/main/a/amarok/current/copyright
> aolserver4-nspostgres
> http://packages.debian.org/changelogs/pool/main/a/aolserver4-nspostgres/current/copyright
> asterisk (which has provided an OpenSSL exception)
> http://packages.debian.org/changelogs/pool/main/a/asterisk/current/copyright
> bacula (which has provided an OpenSSL exception)
> http://packages.debian.org/changelogs/pool/main/b/bacula/current/copyright
> bandwidthd
> http://packages.debian.org/changelogs/pool/main/b/bandwidthd/current/copyright
> courier
> http://packages.debian.org/changelogs/pool/main/c/courier/current/copyright
> cvm
> http://packages.debian.org/changelogs/pool/main/c/cvm/current/copyright
> cvsnt
> http://packages.debian.org/changelogs/pool/main/c/cvsnt/current/copyright
> cyphesis-cpp
> http://packages.debian.org/changelogs/pool/main/c/cyphesis-cpp/current/copyright
> exim4 (which has provided an OpenSSL exception)
> http://packages.debian.org/changelogs/pool/main/e/exim4/current/copyright
> gambas
> http://packages.debian.org/changelogs/pool/main/g/gambas/current/copyright
> gnokii
> http://packages.debian.org/changelogs/pool/main/g/gnokii/current/copyright
> gnugk (which has provided an OpenSSL exception)
> http://packages.debian.org/changelogs/pool/main/g/gnugk/current/copyright
> gnustep-dl2
> http://packages.debian.org/changelogs/pool/main/g/gnustep-dl2/current/copyright
> gphotocoll
> http://packages.debian.org/changelogs/pool/main/g/gphotocoll/current/copyright
> grass
> http://packages.debian.org/changelogs/pool/main/g/grass/current/copyright
> guile-pg
> http://packages.debian.org/changelogs/pool/main/g/guile-pg/current/copyright
> guile-simplesql
> http://packages.debian.org/changelogs/pool/main/g/guile-simplesql/current/copyright
> jabberd2
> http://packages.debian.org/changelogs/pool/main/j/jabberd2/current/copyright
> libdbd-pg-perl
> http://packages.debian.org/changelogs/pool/main/libd/libdbd-pg-perl/current/copyright
> postgis
> http://packages.debian.org/changelogs/pool/main/p/postgis/current/copyright
>
> And quite a few others, I'm sure, I just got tired of looking.
>
> Thanks,
>
> Stephen
--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

* Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> > Some of the packages currently in Debian/unstable which are licensed
> > under the GPL and linked against libpq4 (a few of which have already
> > provided exceptions for linking against OpenSSL):
>
> Sounds to me like the list below needs to add an OpenSSL exception and
> that PostgreSQL needs to make mention in the docs somewhere of the
> potential issue.

Gee, thanks. Perhaps one might consider the license a reason why some
might prefer GNUTLS and would like to see the option? I'm pretty
confident that Debian, at least, would switch to using GNUTLS for
Postgres were it available. It's certainly something we'd like to see
supported by upstream as an alternative to OpenSSL. Given the patch is
available it's possible we could just apply it locally (as was done w/
OpenLDAP) but I really don't think anyone would like to see that.

Thanks,

Stephen

> Gee, thanks. Perhaps one might consider the license a reason why some
> might prefer GNUTLS and would like to see the option? I'm pretty
> confident that Debian, at least, would switch to using GNUTLS for
> Postgres were it available. It's certainly something we'd like to see
> supported by upstream as an alternative to OpenSSL. Given the patch is
> available it's possible we could just apply it locally (as was done w/
> OpenLDAP) but I really don't think anyone would like to see that.

I am not the one you need to convince :). I honestly don't care that
much. I am just trying to help clean up the TODO list. If you want the
GNU TLS patch accepted, you should probably start a thread about that
problem specifically.

Currently, Tom Lane does not like how invasive the patch is. So someone
is going to have to convince him this is a good idea or some of the
other committers.

Sincerely,

Joshua D. Drake

>
> Thanks,
>
> Stephen
--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

* Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> I am not the one you need to convince :). I honestly don't care that
> much. I am just trying to help clean up the TODO list. If you want the
> GNU TLS patch accepted, you should probably start a thread about that
> problem specifically.

Given the thread subject I figured that was in scope... :)

> Currently, Tom Lane does not like how invasive the patch is. So someone
> is going to have to convince him this is a good idea or some of the
> other committers.

Yeah, I saw that, but I think Martijn answers that quite well:

> More than half the patch is simply moving the OpenSSL related stuff
> from fe/be-secure.c to fe/be-secure-openssl.c. If you create the
> -openssl versions first you can more easily see that the changes are in
> fact quite minor. Unfortunatly diff can't represent the change "copy N
> lines from file A to file B" very efficiently.

And following on to that wrt code maintenance:

> Hmm, I see your point. I guess that's an unavoidable side-effect of the
> process :(. However, judging from the CVS logs, these have not been files
> with a high change rate. I think it's worth it but I can imagine other
> people see that differently.

As for Brunce's comment here:

> Of course, we are trading a BSD license with advertizing clause with an
> LGPL license. I guess it makes sense.

I don't see that we're *trading* anything here if we support both, we're
providing users with the choice of which they'd prefer. I'd agree with
Martijn from above- the benefit is worth the (hopefully low) maintenance
cost.

Thanks,

Stephen

> I don't see that we're *trading* anything here if we support both, we're
> providing users with the choice of which they'd prefer. I'd agree with
> Martijn from above- the benefit is worth the (hopefully low) maintenance
> cost.

Well for my honest opinion, I think we should pick *one* and stick with
it. I don't care which. Same for readline. Either spoon up libedit in
ice cream glory or use just readline :)

Sincerely,

Joshua D. Drake

>
> Thanks,
>
> Stephen
--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

"Joshua D. Drake" <jd(at)commandprompt(dot)com> writes:
> Currently, Tom Lane does not like how invasive the patch is.

If GNUTLS really wants to take market share from OpenSSL, why don't they
provide a more nearly compatible API? I don't see why we should have
to jump through so many hoops in order to satify someone else's license
fetish. (And it is a fetish, because only a compulsively narrow-minded
reading of the licenses yields the conclusion that there's a problem.)

regards, tom lane

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> "Joshua D. Drake" <jd(at)commandprompt(dot)com> writes:
> > Currently, Tom Lane does not like how invasive the patch is.
>
> If GNUTLS really wants to take market share from OpenSSL, why don't they
> provide a more nearly compatible API? I don't see why we should have

They do but it's GPL. Not to mention that the OpenSSL API isn't exactly
a shining star in the software world... I really don't feel this has
got anything to do with 'market share' and I'm not advocating Postgres
drop support for OpenSSL. I disagree that the only way Postgres should
support multiple libraries for a given component is if they provide the
same API- we wouldn't have much in the way of authentication options if
that was really the case. The patch appears large because of things
being moved around and not becuase it is tremendously invasive. Also,
this area hasn't required a lot of maintenance in the past and I doubt
adding GNUTLS support would change that.

> to jump through so many hoops in order to satify someone else's license
> fetish. (And it is a fetish, because only a compulsively narrow-minded
> reading of the licenses yields the conclusion that there's a problem.)

While I appriciate that RH isn't concerned I don't feel their
interpretation is the only possible one which could come out of a court
case. Not to mention that just finding out would be expensive in its
own right.

Thanks,

Stephen

On Thu, Dec 28, 2006 at 10:13:14AM -0800, Joshua D. Drake wrote:
> On Thu, 2006-12-28 at 13:01 -0500, Stephen Frost wrote:
> > * Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> > > What is the consideration here? I read the thread and it appears that
> > > OpenSSL is not compatible with GPL? But we don't care about that right?
> > > The OpenSSL looks pretty BSDish to me, expect the advertising clause (is
> > > that what caused XFree86.org to fork?).
> > OpenSSL isn't compatible with the GPL.

With few exceptions, you cannot derive or include GPL software in your
non-GPL software. The GPL works very hard to maintain this position to
"protect" the freedom of the user.

The GPL cannot control how OpenSSL is distributed, though. The OpenSSL
license controls this. I don't see any place in the (short and sweet!)
OpenSSL license that prevents it from being using in GPL software. Are
you reading some particular point in the OpenSSL license that I am not?
PostgreSQL isn't GPL software anyways, and there is certainly nothing
in the OpenSSL license preventing it from being used in PostgreSQL.

If the argument is that the 'whole derived product' must fit the
outter most provided license, then I think you should consider that
PostgreSQL should not include *ANY* GPL software, as any user of
PostgreSQL cannot be guaranteed of the generous freedoms provided by
the PostgreSQL license. Some components are covered by GPL, which is
restrictive compared to PostgreSQL.

Down this path is the impractical, and silly conclusion that all
software must be licensed under the exact same license to be
distributed. An all GPL distribution, for example. While those with a
political agenda such as Richard Stallman would cheer at this result,
those people do not have the power to force this will on us.

The Free Software Foundation provides an LGPL that has fewer restrictions
than GPL, out of recognition that their political goals are not practical
for all uses. LGPL software may be linked with GPL software without
invalidating the GPL rights of the user. GPL applies to the GPL part,
and LGPL applies to the LGPL part. All is well in the world.

In conclusion - I'll restate. The only license that can restrict the
distribution of OpenSSL, is the OpenSSL license. The GPL is not relevant
in determining where OpenSSL may be distributed to.

Anybody who believes OpenSSL is a problem, must be aware of some
software distribution for which the OpenSSL licensing terms are
unreasonable. I'm not sure who that would be. They ask for
attribution. They ask that their name not be used to promote another
product. They ask that their name not be used in the name of another
product. All of these terms seem fair to me.

> The original discussion stated that well placed attorneys in the market
> feel that the FSF is trying to reach beyond the hands of god on this one
> and that we don't need to worry about it (my words, for actual quote
> read thread ;)).

I agree with Tom - if they really want people to use GNUTLS, why did
they make it have such a different interface?

I recently had to choose between the two for a product at work, and
GNUTLS seemed to fall short in several areas. It was a race between
GNUTLS seeming to having superior documentation vs OpenSSL seeming to
have superior functionality. For my rather complicated requirements,
OpenSSL won out (function is more important than documentation), and
the product using it is about 90% complete. It includes such ugliness
as OpenSSL/C code that needs to load the encrypted private key and
client/server x509 certificates from a Java Keystore (JKS)... Total
fun... :-)

Cheers,
mark

--
mark(at)mielke(dot)cc / markm(at)ncf(dot)ca / markm(at)nortel(dot)com __________________________
. . _ ._ . . .__ . . ._. .__ . . . .__ | Neighbourhood Coder
|\/| |_| |_| |/ |_ |\/| | |_ | |/ |_ |
| | | | | \ | \ |__ . | | .|. |__ |__ | \ |__ | Ottawa, Ontario, Canada

One ring to rule them all, one ring to find them, one ring to bring them all
and in the darkness bind them...

http://mark.mielke.cc/

On Thu, Dec 28, 2006 at 02:48:56PM -0500, Stephen Frost wrote:
> I disagree that the only way Postgres should support multiple
> libraries for a given component is if they provide the same API- we
> wouldn't have much in the way of authentication options if that was
> really the case.

I don't believe that was said. However, using two very different APIs
for the exact same purpose, providing the exact same functionality
would seem to require a business case. If fear of litigation over
what seems to be a non-existent point is the only business case, the
position deserves to be challenged.

There are other elements that could be included in the business case.
For example, the documentation for GNUTLS seems to be significantly
better.

I don't like fear mongering. It smells like FUD. :-)

Cheers,
mark

--
mark(at)mielke(dot)cc / markm(at)ncf(dot)ca / markm(at)nortel(dot)com __________________________
. . _ ._ . . .__ . . ._. .__ . . . .__ | Neighbourhood Coder
|\/| |_| |_| |/ |_ |\/| | |_ | |/ |_ |
| | | | | \ | \ |__ . | | .|. |__ |__ | \ |__ | Ottawa, Ontario, Canada

One ring to rule them all, one ring to find them, one ring to bring them all
and in the darkness bind them...

http://mark.mielke.cc/

* mark(at)mark(dot)mielke(dot)cc (mark(at)mark(dot)mielke(dot)cc) wrote:
> In conclusion - I'll restate. The only license that can restrict the
> distribution of OpenSSL, is the OpenSSL license. The GPL is not relevant
> in determining where OpenSSL may be distributed to.

The issue is not the distribution of OpenSSL but rather the distribution
of GPL applications which link against OpenSSL.
Because of the GPL the resulting application can not have any
*additional* restrictions on it (meaning it can be linked against libpq
without any problem because libpq's license doesn't add any restrictions,
but can't be against OpenSSL because the OpenSSL license adds the
advertising clause which isn't in the GPL).

*That's* the issue here, not whatever it is you were arguing against.
There are a few ways to resolve this- add GNUTLS support to PostgreSQL
(GNUTLS is LGPL and so won't cause a problem with GPL or other licenses
in general) or get every GPL application author which ends up using
OpenSSL to provide an exception (which Debian's been working on,
actually, with some success), or get GPLv3 to allow advertising clauses
and get everyone to switch to it (not exactly likely to happen...), or
get OpenSSL to drop the advertising clause (I've been told they would if
they could but that much of the code is authored by an individual who
now works for a competitor and now has very little interest in helping
out the OpenSSL project in any way...).

If you feel the advertising clause is fine, then it's the GPL that's at
fault here for not allowing it. If you disagree with the advertising
clause then it's the fault of the OpenSSL license. Personally, I don't
really care which way you want to look at it.

On another note, personally I feel it's a good thing to support multiple
libraries when the cost of doing so is reasonably low. I had kind of
half-expected people would agree with that sentiment and so the
licenseing issue it would resolve (for at least Debian) is that much
more reason. I didn't really expect a reaction of "there isn't a
licenseing issue so we shouldn't add support for another library". I
could understand if people don't care about the licensing aspect but
I don't really get this one-size-fits-all mentality when it comes to an
SSL library. We don't seem to feel that way about authentication
mechanisms, operating systems, or even client libraries.

Thanks,

Stephen

Stephen Frost wrote:
> * mark(at)mark(dot)mielke(dot)cc (mark(at)mark(dot)mielke(dot)cc) wrote:
>
>> In conclusion - I'll restate. The only license that can restrict the
>> distribution of OpenSSL, is the OpenSSL license. The GPL is not relevant
>> in determining where OpenSSL may be distributed to.
>>
>
> The issue is not the distribution of OpenSSL but rather the distribution
> of GPL applications which link against OpenSSL.
> Because of the GPL the resulting application can not have any
> *additional* restrictions on it (meaning it can be linked against libpq
> without any problem because libpq's license doesn't add any restrictions,
> but can't be against OpenSSL because the OpenSSL license adds the
> advertising clause which isn't in the GPL).
>
> *That's* the issue here, not whatever it is you were arguing against.
>

Stephen, you write as if there were no legal disagreement about this.
But there is, as you well know. My understanding is that most of the
non-FSF lawyers who have looked at this think it's not a problem. I am
not a lawyer, and AFAIK neither are you. Maybe we all need to stop
playing Perry Mason and take some well informed legal advice.

cheers

andrew

* mark(at)mark(dot)mielke(dot)cc (mark(at)mark(dot)mielke(dot)cc) wrote:
> On Thu, Dec 28, 2006 at 02:48:56PM -0500, Stephen Frost wrote:
> > I disagree that the only way Postgres should support multiple
> > libraries for a given component is if they provide the same API- we
> > wouldn't have much in the way of authentication options if that was
> > really the case.
>
> I don't believe that was said. However, using two very different APIs
> for the exact same purpose, providing the exact same functionality
> would seem to require a business case. If fear of litigation over
> what seems to be a non-existent point is the only business case, the
> position deserves to be challenged.
>
> There are other elements that could be included in the business case.
> For example, the documentation for GNUTLS seems to be significantly
> better.

I havn't done serious comparisons of the two since the license issue
matters to me, honestly, so this can be taken with a grain of salt,
but...

OpenSSL has more features and some niceties like the TLS_CACERTDIR
(I've asked for this in GNUTLS, actually, so it might have it soon)
They can each be faster than the other in some instances
(I'm not sure which though, I've heard of 15% differences in each
direction depending on architecture though)
GNUTLS has a nicer/better API
GNUTLS has a smaller memory footprint
OpenSSL is working to get NIST certification/approval
(it had it, but then lost it for some reason and they're working to
get that fixed)
GNUTLS has better documentation

Actually, from a comparison done for libcurl (which supports both):

GnuTLS vs OpenSSL

While these two libraries offer similar features, they are not equal. Both
libraries have features the other one lacks. libcurl does not (yet) offer a
standardized stable ABI if you decide to switch from using libcurl-openssl to
libcurl-gnutls or vice versa. The GnuTLS support is very recent in libcurl
and it has not been tested nor used very extensively, while the OpenSSL
equivalent code has been used and thus matured for more than seven (7) years.

GnuTLS
- LGPL licensened
- supports SRP
- lacks SSLv2 support
- lacks MD2 support (used by at least some CA certs)
- lacks the crypto functions libcurl uses for NTLM

OpenSSL
- Original BSD licensened
- lacks SRP
- supports SSLv2
- older and more widely used
- provides crypto functions libcurl uses for NTLM
- libcurl can do non-blocking connects with it in 7.15.4 and later

That was from May 15, 2006:
http://curl.mirrors.cyberservers.net/legal/distro-dilemma.html

Regarding SSLv2 support, the GNUTLS page has this:

Support for TLS 1.1, TLS 1.0 and SSL 3.0 protocols

* Since SSL 2.0 is insecure it is not supported.
* TLS 1.2 is supported in the experimental branch.

> I don't like fear mongering. It smells like FUD. :-)

While I didn't intend it as fear mongering I can understand that might
be the impression whenever licenses and possible license violations are
brought up. I don't know of anyone who's actually attempting to
prosecute this nor do I generally expect someone to in the future.
Even so though, it wouldn't be a PostgreSQL issue anyway but rather
an issue for someone distributing OpenSSL and some GPL application which
linked against it (ie: a distribution like Debian).

Thanks,

Stephen

> Stephen, you write as if there were no legal disagreement about this.
> But there is, as you well know. My understanding is that most of the
> non-FSF lawyers who have looked at this think it's not a problem. I am
> not a lawyer, and AFAIK neither are you. Maybe we all need to stop
> playing Perry Mason and take some well informed legal advice.

But Perry Mason was so cool!

>
> cheers
>
> andrew
>
>
--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

* Andrew Dunstan (andrew(at)dunslane(dot)net) wrote:
> Stephen Frost wrote:
> >The issue is not the distribution of OpenSSL but rather the distribution
> >of GPL applications which link against OpenSSL.
> >Because of the GPL the resulting application can not have any
> >*additional* restrictions on it (meaning it can be linked against libpq
> >without any problem because libpq's license doesn't add any restrictions,
> >but can't be against OpenSSL because the OpenSSL license adds the
> >advertising clause which isn't in the GPL).
> >
> >*That's* the issue here, not whatever it is you were arguing against.
>
> Stephen, you write as if there were no legal disagreement about this.

I was trying to explain the issue as I understood it. I'm happy to
admit that not everyone feels this is an issue (in fact, I've said as
much elsewhere in this thread). That doesn't mean there aren't some who
*do* feel it's an issue though.

> But there is, as you well know. My understanding is that most of the
> non-FSF lawyers who have looked at this think it's not a problem. I am
> not a lawyer, and AFAIK neither are you. Maybe we all need to stop
> playing Perry Mason and take some well informed legal advice.

I'm certainly not a lawyer and I'd be astounded if anyone felt I
represented myself as such. I don't have opinions from any lawyers
beyond Tom's comments previously from RH's legal team and FSF's comments
on the issue. I don't know where the 'most of the non-FSF lawyers'
claim comes from, if you're aware of others who have commented on it I'd
be happy to listen to them. I do know that this has been an issue for
Debian for quite some time and it seems rather unlikely that Debian's
position on it will change. SPI does have a pro-bono lawyer but I
don't know that this question has been posed to him, probably because
the general consensus among the Debian Powers that Be is that it is an
issue and we try to not bother our pro-bono lawyer too much (being, uh,
pro-bono and all).

Thanks,

Stephen

Stephen Frost wrote:
>> My understanding is that most of the
>> non-FSF lawyers who have looked at this think it's not a problem. I am
>> not a lawyer, and AFAIK neither are you. Maybe we all need to stop
>> playing Perry Mason and take some well informed legal advice.
>>
>
> I'm certainly not a lawyer and I'd be astounded if anyone felt I
> represented myself as such. I don't have opinions from any lawyers
> beyond Tom's comments previously from RH's legal team and FSF's comments
> on the issue. I don't know where the 'most of the non-FSF lawyers'
> claim comes from, if you're aware of others who have commented on it I'd
> be happy to listen to them.

I said that was my understanding, not that I had direct knowledge of it.
But maybe I'm wrong.

> I do know that this has been an issue for
> Debian for quite some time and it seems rather unlikely that Debian's
> position on it will change. SPI does have a pro-bono lawyer but I
> don't know that this question has been posed to him, probably because
> the general consensus among the Debian Powers that Be is that it is an
> issue and we try to not bother our pro-bono lawyer too much (being, uh,
> pro-bono and all).
>

I have a sneaking suspicion that there are some hidden agendas in all this.

I agree with this comment from Steve Langasek at
http://lists.debian.org/debian-legal/2003/01/msg00022.html :

> Sure, code can be rewritten to use gnutls natively. But I don't
> understand why anyone would consider this a useful expenditure of
> developer resources when the necessary OpenSSL compat glue could simply
> be made available under the LGPL.
>
>

If this is such an issue, why hasn't somebody done that?

cheers

andrew

On Thu, Dec 28, 2006 at 05:16:58PM -0500, Andrew Dunstan wrote:
> I agree with this comment from Steve Langasek at
> http://lists.debian.org/debian-legal/2003/01/msg00022.html :
>
> >Sure, code can be rewritten to use gnutls natively. But I don't
> >understand why anyone would consider this a useful expenditure of
> >developer resources when the necessary OpenSSL compat glue could simply
> >be made available under the LGPL.
>
> If this is such an issue, why hasn't somebody done that?

Maybe because the OpenSSL interface is terrible? I'm not sure if it's
actually possible to emulate the OpenSSL interface, given the way the
libraries work internally are completely different.

There is an OpenSSL compatability layer, but postgres won't compile
with it because it's nowhere near complete enough, even for the simple
things postgres wants to do.

However, in this case we're talking about code that has already been
written. So the work has already been done...

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.

* Andrew Dunstan (andrew(at)dunslane(dot)net) wrote:
> Stephen Frost wrote:
> >I do know that this has been an issue for
> >Debian for quite some time and it seems rather unlikely that Debian's
> >position on it will change. SPI does have a pro-bono lawyer but I
> >don't know that this question has been posed to him, probably because
> >the general consensus among the Debian Powers that Be is that it is an
> >issue and we try to not bother our pro-bono lawyer too much (being, uh,
> >pro-bono and all).
> >
>
> I have a sneaking suspicion that there are some hidden agendas in all this.

I'm certainly not aware of any personally. I doubt Debian in general
does either since this isn't exactly a fun thing for us to have to deal
with.

> I agree with this comment from Steve Langasek at
> http://lists.debian.org/debian-legal/2003/01/msg00022.html :

Unfortunately, the glue hasn't been made available under the LGPL.
While I agree with Steve generally (and in fact have been discussing
this whole bit with him on IRC), in this case he's right but the point
is moot- it *could* be done, but it *hasn't* been done. The options are
to go ask the original author about relicensing it (which I think has
actually been done already) or rewriting it (which apparently hasn't
been done).

> >Sure, code can be rewritten to use gnutls natively. But I don't
> >understand why anyone would consider this a useful expenditure of
> >developer resources when the necessary OpenSSL compat glue could simply
> >be made available under the LGPL.
>
> If this is such an issue, why hasn't somebody done that?

Based on what I've seen happen to date it appears that projects would
rather just include GNUTLS support directly than write a wrapper to
support the OpenSSL API using GNUTLS. Indeed, that's exactly the
approach Martijn took as well. My guess as to why this would be is that
it's simply not *that* difficult to do and maintain, and in the end
perhaps some prefer the GNUTLS API over the OpenSSL API, or feel that
more things are moving in that direction. I don't know, I can't speak
for them so I'm really just speculating, but the empirical evidence is
that projects support GNUTLS and there doesn't exist a non-GPL OpenSSL
API for GNUTLS yet. I understand that at least some GPL projects do use
the GPL OpenSSL API for GNUTLS but it's not common. (fe: I know exim4,
elinks, mutt, samba, curl/libcurl, and others support GNUTLS directly
while the only project I've heard of using the wrapper is slrn, cupsys
used the compat layer at one point but then changed to using GNUTLS
directly). Maybe people feel that using a compat layer is uglier than
using GNUTLS directly?

Thanks,

Stephen

On Thu, Dec 28, 2006 at 03:56:48PM -0500, Stephen Frost wrote:
> * mark(at)mark(dot)mielke(dot)cc (mark(at)mark(dot)mielke(dot)cc) wrote:
> > In conclusion - I'll restate. The only license that can restrict the
> > distribution of OpenSSL, is the OpenSSL license. The GPL is not relevant
> > in determining where OpenSSL may be distributed to.
> The issue is not the distribution of OpenSSL but rather the distribution
> of GPL applications which link against OpenSSL.
> Because of the GPL the resulting application can not have any
> *additional* restrictions on it (meaning it can be linked against libpq
> without any problem because libpq's license doesn't add any restrictions,
> but can't be against OpenSSL because the OpenSSL license adds the
> advertising clause which isn't in the GPL).

I don't see the problem. If I redistribute PostgreSQL with GPL software
that I author, I am supposed to keep a copy of the PostgreSQL license
with the derived works. Respecting the license for every component of
software is regular business.

By the words you describe above, the GPL doesn't require that you
include a copy of the PostgreSQL license either. Are you saying that
this makes GPL incompatible with PostgreSQL?

It's silliness. If you redistribute OpenSSL, you honour the OpenSSL
requirements. That's the *only* requirement by copyright law. It doesn't
matter if it is GPL on top, or not. You always honour each license.

The *only* thing GPL-with-GPL does is reduce complexity.

> *That's* the issue here, not whatever it is you were arguing against.

I think you might only be listening to one side.

> There are a few ways to resolve this- add GNUTLS support to PostgreSQL
> (GNUTLS is LGPL and so won't cause a problem with GPL or other licenses
> in general) or get every GPL application author which ends up using
> OpenSSL to provide an exception (which Debian's been working on,
> actually, with some success), or get GPLv3 to allow advertising clauses
> and get everyone to switch to it (not exactly likely to happen...), or
> get OpenSSL to drop the advertising clause (I've been told they would if
> they could but that much of the code is authored by an individual who
> now works for a competitor and now has very little interest in helping
> out the OpenSSL project in any way...).

1) Adding GNUTLS support to PostgreSQL does not eliminate any PostgreSQL
obligation to honour the OpenSSL distribution license. Any PostgreSQL
distribution that includes OpenSSL must honour the OpenSSL distribution
license, just as any PostgreSQL distribution that includes GNUTLS must
honour either the GPL or LGPL license. Nothing changes. It's about
distribution. If PostgreSQL includes OpenSSL support, it is a derived
works when distributed with OpenSSL. It is a misunderstanding to believe
that support for many interfaces allows you to avoid any licensing
issues. It is a popular misunderstanding.

2) Explicitly stating an OpenSSL "exception" is not a legal requirement.
It is not possible for any derived product to "except" conditions
for OpenSSL. OpenSSL defines its *own* license. You cannot modify it,
which means that the GPL cannot reduce its significance, nor can an
explicit exception claus increase its significance. OpenSSL
distribution rights are defined by the OpenSSL license. Full stop.

If you wish to explicitly point out that you don't mind if your
product is linked against OpenSSL (which should be obvious by the
fact that you included support for it in your program), you are
free to do so. Maybe it'll keep the lawyers a little hungrier.
It's not necessary, and it *cannot* have legal effect.

Exception clause or not, every author of a derived works that makes
use of it, should understand their *obligation* to honour any and
all licenses for any derived software. GPL, LGPL, OpenSSL, Apache,
whatever. The exception clause is making this obvious. It has no
legal weight.

> If you feel the advertising clause is fine, then it's the GPL that's at
> fault here for not allowing it. If you disagree with the advertising
> clause then it's the fault of the OpenSSL license. Personally, I don't
> really care which way you want to look at it.

No. The GPL is allowed to do whatever it wants. What it wants, is to
achieve Richard Stallman's vision of software communism. What the GPL
cannot do is say whether you can, or cannot use OpenSSL. Only OpenSSL
can say whether you can or cannot use OpenSSL.

> On another note, personally I feel it's a good thing to support multiple
> libraries when the cost of doing so is reasonably low. I had kind of
> half-expected people would agree with that sentiment and so the
> licenseing issue it would resolve (for at least Debian) is that much
> more reason. I didn't really expect a reaction of "there isn't a
> licenseing issue so we shouldn't add support for another library". I
> could understand if people don't care about the licensing aspect but
> I don't really get this one-size-fits-all mentality when it comes to an
> SSL library. We don't seem to feel that way about authentication
> mechanisms, operating systems, or even client libraries.

They're entirely different discussions. One is about politics. One is
about practical application.

With regard to practical application, I agree with you.

With regard to giving in to legal FUD, I feel it is my duty to stand up
to it as best as I can, to prevent it from becoming widely accepted.
Nothing personal, and we're both entitled to our own opinions on the matter.
You expressed yours. I've expressed mine. Hopefully truth is found from
the reading of both.

Cheers,
mark

--
mark(at)mielke(dot)cc / markm(at)ncf(dot)ca / markm(at)nortel(dot)com __________________________
. . _ ._ . . .__ . . ._. .__ . . . .__ | Neighbourhood Coder
|\/| |_| |_| |/ |_ |\/| | |_ | |/ |_ |
| | | | | \ | \ |__ . | | .|. |__ |__ | \ |__ | Ottawa, Ontario, Canada

One ring to rule them all, one ring to find them, one ring to bring them all
and in the darkness bind them...

http://mark.mielke.cc/

* mark(at)mark(dot)mielke(dot)cc (mark(at)mark(dot)mielke(dot)cc) wrote:
> I don't see the problem. If I redistribute PostgreSQL with GPL software
> that I author, I am supposed to keep a copy of the PostgreSQL license
> with the derived works. Respecting the license for every component of
> software is regular business.
>
> By the words you describe above, the GPL doesn't require that you
> include a copy of the PostgreSQL license either. Are you saying that
> this makes GPL incompatible with PostgreSQL?

What in the world are you talking about...? I truely can't follow your
train of thought in the least.

> It's silliness. If you redistribute OpenSSL, you honour the OpenSSL
> requirements. That's the *only* requirement by copyright law. It doesn't
> matter if it is GPL on top, or not. You always honour each license.

The GPL says you can't combine GPL code with code which has additional
requirements and then distribute the result.

> The *only* thing GPL-with-GPL does is reduce complexity.

I don't seem to be able to explain it to you, even what the issue is,
ignoring the question about if it's actually an issue or not.

> > *That's* the issue here, not whatever it is you were arguing against.
>
> I think you might only be listening to one side.

I'm honestly not sure *what* you're listening to, it doesn't seem to be
me...

> > There are a few ways to resolve this- add GNUTLS support to PostgreSQL
> > (GNUTLS is LGPL and so won't cause a problem with GPL or other licenses
> > in general) or get every GPL application author which ends up using
> > OpenSSL to provide an exception (which Debian's been working on,
> > actually, with some success), or get GPLv3 to allow advertising clauses
> > and get everyone to switch to it (not exactly likely to happen...), or
> > get OpenSSL to drop the advertising clause (I've been told they would if
> > they could but that much of the code is authored by an individual who
> > now works for a competitor and now has very little interest in helping
> > out the OpenSSL project in any way...).
>
> 1) Adding GNUTLS support to PostgreSQL does not eliminate any PostgreSQL
> obligation to honour the OpenSSL distribution license. Any PostgreSQL
> distribution that includes OpenSSL must honour the OpenSSL distribution
> license, just as any PostgreSQL distribution that includes GNUTLS must
> honour either the GPL or LGPL license. Nothing changes. It's about
> distribution. If PostgreSQL includes OpenSSL support, it is a derived
> works when distributed with OpenSSL. It is a misunderstanding to believe
> that support for many interfaces allows you to avoid any licensing
> issues. It is a popular misunderstanding.

As I tried to make clear previously, this hasn't got anything to do with
PostgreSQL distributing anything. Nor does it have anything to do with
PostgreSQL obligations. Here, I'll try again:

Debian --
\ Applications
- exim4
\ Links against:
- libpq
\ Links against:
- libssl (OpenSSL)

exim4 is under the GPL
libpq is under BSD (no advertising clause)
libssl is under BSD (advertising clause)

So, Debian is distributing an application (exim4 w/ libpq & libssl)
which includes GPL code (exim4) combined with code under another license
(BSD w/ advertising clause) which *adds additional restrictions* (the
advertising clause) over those in the GPL, which is against the terms of
the GPL. It's *Debian's* problem, but *PostgreSQL* can solve it by
providing the option to link against GNUTLS instead.

> 2) Explicitly stating an OpenSSL "exception" is not a legal requirement.
> It is not possible for any derived product to "except" conditions
> for OpenSSL. OpenSSL defines its *own* license. You cannot modify it,
> which means that the GPL cannot reduce its significance, nor can an
> explicit exception claus increase its significance. OpenSSL
> distribution rights are defined by the OpenSSL license. Full stop.

In the case above, exim4 *can* provide an exception because it's the
*GPL* of *exim4* which is being violated by the advertising clause in
the *OpenSSL* license. Which exim4 upstream has *done*, and which can
be seen in their license (linked to previously in this thread). There
are a number of other GPL'd applications which have done this, mostly
(if not completely) at the prodding of Debian (bacula being another
which comes to mind).

> If you wish to explicitly point out that you don't mind if your
> product is linked against OpenSSL (which should be obvious by the
> fact that you included support for it in your program), you are
> free to do so. Maybe it'll keep the lawyers a little hungrier.
> It's not necessary, and it *cannot* have legal effect.

Programs may not directly link against OpenSSL and so may not directly
include support for it (uhm, exactly the case when something links
against libpq which then links against OpenSSL), but which ends up still
being part of the distributed application.

> Exception clause or not, every author of a derived works that makes
> use of it, should understand their *obligation* to honour any and
> all licenses for any derived software. GPL, LGPL, OpenSSL, Apache,
> whatever. The exception clause is making this obvious. It has no
> legal weight.

Given that I think your premise above is wrong I won't bother argueing
against conclusions you draw from it.

> > If you feel the advertising clause is fine, then it's the GPL that's at
> > fault here for not allowing it. If you disagree with the advertising
> > clause then it's the fault of the OpenSSL license. Personally, I don't
> > really care which way you want to look at it.
>
> No. The GPL is allowed to do whatever it wants. What it wants, is to
> achieve Richard Stallman's vision of software communism. What the GPL
> cannot do is say whether you can, or cannot use OpenSSL. Only OpenSSL
> can say whether you can or cannot use OpenSSL.

This isn't about whether you can use or cannot use OpenSSL. It's about
if you're allowed to distribute GPL applications which are linked to
OpenSSL without violating the terms of the GPL. *This is not about
distributing OpenSSL*.

> > On another note, personally I feel it's a good thing to support multiple
> > libraries when the cost of doing so is reasonably low. I had kind of
> > half-expected people would agree with that sentiment and so the
> > licenseing issue it would resolve (for at least Debian) is that much
> > more reason. I didn't really expect a reaction of "there isn't a
> > licenseing issue so we shouldn't add support for another library". I
> > could understand if people don't care about the licensing aspect but
> > I don't really get this one-size-fits-all mentality when it comes to an
> > SSL library. We don't seem to feel that way about authentication
> > mechanisms, operating systems, or even client libraries.
>
> They're entirely different discussions. One is about politics. One is
> about practical application.
>
> With regard to practical application, I agree with you.
>
> With regard to giving in to legal FUD, I feel it is my duty to stand up
> to it as best as I can, to prevent it from becoming widely accepted.
> Nothing personal, and we're both entitled to our own opinions on the matter.
> You expressed yours. I've expressed mine. Hopefully truth is found from
> the reading of both.

The problem is that you're not standing up to FUD, you seem to be
arguing about something completely seperate from the issue that I've
brought up. I can understand Tom's point, or Andrew's point, that this
might not be an issue because of any number of reasons which might
include:
a) technically the program isn't linked till it's own the user's
computer (personally I don't feel that removes the GPL
requirements though I've heard it claimed)

b) The GPL application doesn't link *directly* to OpenSSL and the level
of indirection means the GPL application doesn't *depend* on OpenSSL,
which means it's not a derivative (imv, this isn't very far removed
from 'a', but I can see some distinction)

c) Authors of GPL code are very unlikely to prosecute such a claim
since OpenSSL *is* OSS and does abide by the DFSG (I wonder if the
FSF might find someone some day willing to, though they might not be
insterested due to possible bad press, who knows...)

d) PostgreSQL can be configured to not use SSL when it ships and
therefore as shipped there isn't a problem (again, kind of a stretch)

e) The GPL doesn't apply to shared library linking

f) The OpenSSL falls under the 'distributed with the OS' clause of the
GPL and therefore it isn't a problem that there are additional
restrictions in its license (probably the most practical argument,
but not sure it'd hold up when that'd basically make all of Debian
exempt since it can all be considered 'part of the OS'...)

Your comments above about a PostgreSQL obligation just don't make sense
and so I have to conclude that you don't understand the issue, which may
be my fault for not explaining it clearly enough but there's only so
much I can do.. Hopefully this will help...

Thanks,

Stephen

Stephen Frost <sfrost(at)snowman(dot)net> writes:
> So, Debian is distributing an application (exim4 w/ libpq & libssl)
> which includes GPL code (exim4) combined with code under another license
> (BSD w/ advertising clause) which *adds additional restrictions* (the
> advertising clause) over those in the GPL, which is against the terms of
> the GPL.

Stephen, let me explain *exactly* why I think this is horsepucky.

libjpeg, my other major open-source project, has always been shipped
under a BSD-ish license that includes an "advertising" clause; I quote:

: (2) If only executable code is distributed, then the accompanying
: documentation must state that "this software is based in part on the work of
: the Independent JPEG Group".

Curiously, every single GPL-license web browser in the world uses
libjpeg. Until I see a widespread willingness to remove JPEG support in
GPL-licensed software, and/or somebody providing a pure-GPL replacement
for libjpeg, I am not going to take this argument seriously. There is
exactly zero meaningful difference between the libjpeg license terms and
the OpenSSL terms, but where is the pushback on libjpeg? I have not
seen any, in all the years I worked on that project.

(At one point RMS did make a half-hearted attempt to get me to relicense
libjpeg as GPL, but I have never seen any indication whatsoever that
anyone else cared.)

regards, tom lane

On Thu, Dec 28, 2006 at 09:34:05PM -0500, Stephen Frost wrote:
> * mark(at)mark(dot)mielke(dot)cc (mark(at)mark(dot)mielke(dot)cc) wrote:
> > By the words you describe above, the GPL doesn't require that you
> > include a copy of the PostgreSQL license either. Are you saying that
> > this makes GPL incompatible with PostgreSQL?
> What in the world are you talking about...? I truely can't follow your
> train of thought in the least.

I will try again. It is a difficult subject for many.

GPL software derived from PostgreSQL must honour the restrictions defined
by the PostgreSQL (BSD) license.

GPL software derived from OpenSSL must honour the restrictions defined
by the OpenSSL license.

What is the difference? Do you see it? You speak of "compatibility" as
if it means that the above are different in some technical way. They
are NOT different. Just because the GPL >= the PostgreSQL license,
does not allow you to disobey the PostgreSQL license restrictions. You
*cannot* release your entire derived GPL product as GPL, if it is
distributed with PostgreSQL. The PostgreSQL component retains the
PostgreSQL licensing restrictions, The GPL restrictions do not
supercede or replace the PostgreSQL component and there is NOTHING the
GPL can do to change this.

> > It's silliness. If you redistribute OpenSSL, you honour the OpenSSL
> > requirements. That's the *only* requirement by copyright law. It doesn't
> > matter if it is GPL on top, or not. You always honour each license.
> The GPL says you can't combine GPL code with code which has additional
> requirements and then distribute the result.

The GPL *cannot* say this. The GPL *cannot* define how OpenSSL can or
cannot be used. Only the OpenSSL license can define how OpenSSL is
allowed to be distributed or used once distributed.

You are looking at it from the wrong direction. The GPL can prevent
*GPL-derived* works from being non-GPL. The GPL CANNOT prevent one
from deriving from non-GPL works. Take some time to read this a few
times if you need to. The difference is HUGE.

It would be ridiculous for it to be different. If it was different, it
would require all software to have exactly equivalent licenses in
order to be integrated. Insanity. Any lawyer who would claim this
should lose their license to practice law.

I'll state again - there is no such thing as *compatibility* in the
sense you are using it. If they were fully compatible, they would have
the exact same effect. The PostgreSQL license is *not* compatible with
GPL in the sense that they can be interchanged. Read the following
snip from the PostgreSQL license, which is incompatible with the GPL
license:

"Permission to use, copy, modiy, and distribute ... provided that
the above copyright notice and this paragraph and the following two
paragraphs appear in all copies."

A distribution that includes GPL software and PostgreSQL software *must*
include both the GPL license, and the PostgreSQL license. This is an
additional "incompatible" restriction with the GPL. The advertising
clause of the OpenSSL license is a second such restriction. It is not
the first such restriction as some people are trying to make it appear.

> > 1) Adding GNUTLS support to PostgreSQL does not eliminate any PostgreSQL
> > obligation to honour the OpenSSL distribution license. Any PostgreSQL
> > distribution that includes OpenSSL must honour the OpenSSL distribution
> > license, just as any PostgreSQL distribution that includes GNUTLS must
> > honour either the GPL or LGPL license. Nothing changes. It's about
> > distribution. If PostgreSQL includes OpenSSL support, it is a derived
> > works when distributed with OpenSSL. It is a misunderstanding to believe
> > that support for many interfaces allows you to avoid any licensing
> > issues. It is a popular misunderstanding.
>
> As I tried to make clear previously, this hasn't got anything to do with
> PostgreSQL distributing anything. Nor does it have anything to do with
> PostgreSQL obligations. Here, I'll try again:
>
> Debian --
> \ Applications
> - exim4
> \ Links against:
> - libpq
> \ Links against:
> - libssl (OpenSSL)
>
> exim4 is under the GPL
> libpq is under BSD (no advertising clause)
> libssl is under BSD (advertising clause)
>
> So, Debian is distributing an application (exim4 w/ libpq & libssl)
> which includes GPL code (exim4) combined with code under another license
> (BSD w/ advertising clause) which *adds additional restrictions* (the
> advertising clause) over those in the GPL, which is against the terms of
> the GPL. It's *Debian's* problem, but *PostgreSQL* can solve it by
> providing the option to link against GNUTLS instead.

There is no problem above. Debian must honour all licenses for all
software components. There is no need for an exemption, or an OpenSSL
exception clause. If OpenSSL is included within Debian, than the
Debian distribution should include an attribution to it in the Debian
documentation, and the OpenSSL LICENSE file should be stored somewhere
in the file system.

If there is a problem, feel free to describe the actual points of
conflict, using wording from the licenses itself. You are talking
about a theoretical issue that I you have not shown to exist. Drawing
ascii pictures doesn't substantiate your claim. The choice to use the
GPL as the license for a product cannot stop the product from being
derived from a non-free work. Richard Stallman's virus cannot prevent
people from using non-GPL base software. He can *ONLY* prevent people
from deriving from GPL software. Again, read this a few
times. Legally, it can only go in one direction.

If Richard Stallman wants to say that no part of his GNU system will
make use of non-GPL software, that is his choice. He cannot tell the
authors of other software what they can or cannot derive from. Only
the license of the product being derived from can tell the author
what they are allowed to do. Richard Stallman / GPL is not in the
picture.

The truth here, as I see it, is that Richard Stallman wants people
who use the GPL, to believe in his political ideal, and choose to
only use GPL software wherever possible, to allow his agenda to be
achieved as quickly as possible. For GPL software to be legally
derived from non-GPL software prevents his political ideal from
ever being fully achieved. This is why people are trying to make
open source hardware, and open source drivers for hardware. The
dream is to have a complete software stack that is all guaranteed
to be free to use, and free to derive from. It really is a dream.

I don't share this dream.

> > 2) Explicitly stating an OpenSSL "exception" is not a legal requirement.
> > It is not possible for any derived product to "except" conditions
> > for OpenSSL. OpenSSL defines its *own* license. You cannot modify it,
> > which means that the GPL cannot reduce its significance, nor can an
> > explicit exception claus increase its significance. OpenSSL
> > distribution rights are defined by the OpenSSL license. Full stop.
> In the case above, exim4 *can* provide an exception because it's the
> *GPL* of *exim4* which is being violated by the advertising clause in
> the *OpenSSL* license. Which exim4 upstream has *done*, and which can
> be seen in their license (linked to previously in this thread). There
> are a number of other GPL'd applications which have done this, mostly
> (if not completely) at the prodding of Debian (bacula being another
> which comes to mind).

No. It's because of the FUD surrounding the issue. People would rather
submit, and write an exception clause, than argue, or risk having to
square off against a lawyer. Existence of the clause does not prove that
the clause is necessary, or that it has any legal weight. It only proves
that one or more people were convinced that it wouldn't hurt.

I think it hurts everyone to submit to FUD, no matter if the FUD is
from Microsoft, or from the FSF. I believe that people should be making
choices based on knowledge, and understanding, than because of fear or
uncertainty.

> > If you wish to explicitly point out that you don't mind if your
> > product is linked against OpenSSL (which should be obvious by the
> > fact that you included support for it in your program), you are
> > free to do so. Maybe it'll keep the lawyers a little hungrier.
> > It's not necessary, and it *cannot* have legal effect.
> Programs may not directly link against OpenSSL and so may not directly
> include support for it (uhm, exactly the case when something links
> against libpq which then links against OpenSSL), but which ends up still
> being part of the distributed application.

It doesn't matter how it happens. If it's possible that OpenSSL might
be linked, than the distribution should include a copy of the OpenSSL
license, and documentation for the distribution should show that
OpenSSL is a part of the distribution. On my Fedora Core 6 system, I
see a copy of the license in:

/usr/share/doc/openssl-0.9.8b/LICENSE

As well as in the header of most files such as:

/usr/include/openssl/ssl.h

I assume if I look hard enough, I would find something that qualifies
as an attribution to Fedora Core containing OpenSSL within the Fedora
Core documentation. If Fedora Core wishes to be legal, and respect all
licenses of included software components, it should.

> > Exception clause or not, every author of a derived works that makes
> > use of it, should understand their *obligation* to honour any and
> > all licenses for any derived software. GPL, LGPL, OpenSSL, Apache,
> > whatever. The exception clause is making this obvious. It has no
> > legal weight.
> Given that I think your premise above is wrong I won't bother argueing
> against conclusions you draw from it.

Where are the words in the GPL that you think make your case? I haven't
seen them in this thread. I've seen references to the thinking of other
people, mostly people who have an FSF agenda to maintain. Where are the
words? Is it all hearsay?

> > No. The GPL is allowed to do whatever it wants. What it wants, is to
> > achieve Richard Stallman's vision of software communism. What the GPL
> > cannot do is say whether you can, or cannot use OpenSSL. Only OpenSSL
> > can say whether you can or cannot use OpenSSL.
> This isn't about whether you can use or cannot use OpenSSL. It's about
> if you're allowed to distribute GPL applications which are linked to
> OpenSSL without violating the terms of the GPL. *This is not about
> distributing OpenSSL*.

It is ONLY about distributing OpenSSL. GPL applications can CERTAINLY
link against a legally distributed and used OpenSSL without violating
the GPL.

I think you are confusing the intent of Richard Stallman in authoring
the GPL, with any legal weight the GPL actually has. One is about the
dream. The other is about what the countries we live in, allow to be
written on paper.

Find words in the GPL that prevent one from choosing to use the GPL as
the license for your software, even if your software legally links
against a non-GPL product. I assume you are aware that GPL software is
often compiled using proprietary compilers and linkers, and linked
with proprietary system libraries, and executed on proprietary
operating systems, running on proprietary hardware. Will you claim
that this violates the GPL as well?

> > They're entirely different discussions. One is about politics. One is
> > about practical application.
> >
> > With regard to practical application, I agree with you.
> >
> > With regard to giving in to legal FUD, I feel it is my duty to stand up
> > to it as best as I can, to prevent it from becoming widely accepted.
> > Nothing personal, and we're both entitled to our own opinions on the matter.
> > You expressed yours. I've expressed mine. Hopefully truth is found from
> > the reading of both.

> The problem is that you're not standing up to FUD, you seem to be
> arguing about something completely seperate from the issue that I've

I am *only* standing up to the FUD. Your points a), and b) below are
practical issues. The FUD is about people repeating fear and uncertainty
to open source project mailing lists all over the world.

On practical issues, my opinion might be quite different. I'll offer
them below, although after how you've responded to my other opinions,
I'll assume you might not care to read them... :-)

> brought up. I can understand Tom's point, or Andrew's point, that this
> might not be an issue because of any number of reasons which might
> include:
> a) technically the program isn't linked till it's own the user's
> computer (personally I don't feel that removes the GPL
> requirements though I've heard it claimed)

My opinion: If distributed in binary form, than the distribution
itself must obey the OpenSSL restrictions. This includes ensuring that
documentation for the distribution includes an attribution to the
OpenSSL project, and ensuring that the OpenSSL license is included
in the distribution.

If the user downloads PostgreSQL and OpenSSL separately, and then uses
both legally, linking them together, no distribution has occurred. As
copyright law is about distribution, copyright law cannot prevent one
from linking the pieces together at compile time or run time. If the
user distributes the binary image, then this goes back to the previous
paragraph.

Some lawyer might be able to convince a judge that PostgreSQL requires
OpenSSL to operate, and therefore, PostgreSQL is a fully derived work,
and not including OpenSSL does not free the PostgreSQL owners of
responsibility. The case seems pretty shaky, though, and OpenSSL is
not a required component of PostgreSQL.

> b) The GPL application doesn't link *directly* to OpenSSL and the level
> of indirection means the GPL application doesn't *depend* on OpenSSL,
> which means it's not a derivative (imv, this isn't very far removed
> from 'a', but I can see some distinction)

My opinion: Not different from 'a' at all. GPL applications can be
legally derived from non-GPL applications. The license restriction of
the product that is being derived from determine whether the
derivation is legal or not. Richard Stallman doesn't want people to do
this, because it hurts his cause, but legally, he can't stop them,
as it is a necessary part of life with software. The product is always
derived from at least one non-GPL product, even if only the hardware
that it sits on. That is, until the FSF achieves its agenda of having
a 100% GPL system....

> c) Authors of GPL code are very unlikely to prosecute such a claim
> since OpenSSL *is* OSS and does abide by the DFSG (I wonder if the
> FSF might find someone some day willing to, though they might not be
> insterested due to possible bad press, who knows...)

My opinion: This usually takes the form of 1) somebody forgetting to
honour a part of the license, 2) somebody pointing it out, 3) somebody
grudingly obeying. This might be a GPL-derived product that was released
from the authors as binary only, where the software is grudingly released
upon request (perhaps request by the FSF). This might be an OpenSSL-derived
product that was released from the authors without attributing OpenSSL
in the documentation, in which case they add a note in the documentation.
This could be a BSD-derived product that forgets to include a copy of
the BSD license in the distribution, in which case the license is
grudingly added back.

It doesn't matter what the license is. People know they should honour
the license. Ignorance is not an excuse. Choosing to ignore the license
is not honourable.

> d) PostgreSQL can be configured to not use SSL when it ships and
> therefore as shipped there isn't a problem (again, kind of a stretch)

This goes back to a). If the distribution includes OpenSSL, it must
honour the OpenSSL license. If PostgreSQL is not shipped with OpenSSL,
but allows it to be linked with OpenSSL, than the responsibility is
moved to the person who links the application and redistributes the
linked application. If the end user does it, then it is not a
redistribution, so copyright law cannot apply.

> e) The GPL doesn't apply to shared library linking

My opinion: I don't think this is true. LGPL doesn't apply to shared
library linking. GPL does.

> f) The OpenSSL falls under the 'distributed with the OS' clause of the
> GPL and therefore it isn't a problem that there are additional
> restrictions in its license (probably the most practical argument,
> but not sure it'd hold up when that'd basically make all of Debian
> exempt since it can all be considered 'part of the OS'...)

My opinion: Same as a). The responsibility is moved to the distributor.
The OS distribution must honour the license.

> Your comments above about a PostgreSQL obligation just don't make sense
> and so I have to conclude that you don't understand the issue, which may
> be my fault for not explaining it clearly enough but there's only so
> much I can do.. Hopefully this will help...

I think we've both concluded that the other person doesn't understand the
issue. Although it may be clear to you or I that the other is wrong, I
think the strength of the arguments will stand on their own as to whether
other people choose to believe you, I, or some third interpretation.

I've tried not to be presuming. I ask of you the same.

Cheers,
mark

--
mark(at)mielke(dot)cc / markm(at)ncf(dot)ca / markm(at)nortel(dot)com __________________________
. . _ ._ . . .__ . . ._. .__ . . . .__ | Neighbourhood Coder
|\/| |_| |_| |/ |_ |\/| | |_ | |/ |_ |
| | | | | \ | \ |__ . | | .|. |__ |__ | \ |__ | Ottawa, Ontario, Canada

One ring to rule them all, one ring to find them, one ring to bring them all
and in the darkness bind them...

http://mark.mielke.cc/

mark(at)mark(dot)mielke(dot)cc wrote:

> I will try again. It is a difficult subject for many.
>
> GPL software derived from PostgreSQL must honour the restrictions defined
> by the PostgreSQL (BSD) license.
>
> GPL software derived from OpenSSL must honour the restrictions defined
> by the OpenSSL license.
>
> What is the difference? Do you see it? You speak of "compatibility" as
> if it means that the above are different in some technical way. They
> are NOT different. Just because the GPL >= the PostgreSQL license,
> does not allow you to disobey the PostgreSQL license restrictions. You
> *cannot* release your entire derived GPL product as GPL, if it is
> distributed with PostgreSQL. The PostgreSQL component retains the
> PostgreSQL licensing restrictions, The GPL restrictions do not
> supercede or replace the PostgreSQL component and there is NOTHING the
> GPL can do to change this.

I think the issue revolves around the conditions that GPL stipulates
about "linking against" libraries requiring the entire product to be
*distributed* as GPL, even if components have differing licenses. This
is the so-called "viral" clause that gets much attention!

Now as Tom pointed out, I dunno why OpenSSL suddenly gets so much
attention, but anyway, just trying to clarify why *in principle* that
Stephen F is talking about a valid *possible* interpretation of the
licensing maze...

Cheers

Mark

On 12/29/06, Stephen Frost wrote:
>
> So, Debian is distributing an application (exim4 w/ libpq & libssl)
> which includes GPL code (exim4) combined with code under another license
> (BSD w/ advertising clause) which *adds additional restrictions* (the
> advertising clause) over those in the GPL, which is against the terms of
> the GPL. It's *Debian's* problem, but *PostgreSQL* can solve it by
> providing the option to link against GNUTLS instead.

> In the case above, exim4 *can* provide an exception because it's the
> *GPL* of *exim4* which is being violated by the advertising clause in
> the *OpenSSL* license. Which exim4 upstream has *done*, and which can
> be seen in their license (linked to previously in this thread).

Considering that the problem is caused by the choice for a license so
restrictive it prohibits linking to OpenSSL, I think a license
exception in said restrictive license is exactly the right way for
Debian to solve their problem.

Jochem

On Fri, Dec 29, 2006 at 12:08:37AM -0500, Tom Lane wrote:
> Stephen, let me explain *exactly* why I think this is horsepucky.
>
> libjpeg, my other major open-source project, has always been shipped
> under a BSD-ish license that includes an "advertising" clause; I quote:
>
> : (2) If only executable code is distributed, then the accompanying
> : documentation must state that "this software is based in part on the work of
> : the Independent JPEG Group".

That's not an advertising clause, that merely asks that it be mentioned
somewhere in the documentation, which is copied along with the rest of
the code, so that's not limiting the redisitribution of anything. It
also only applies when the source is not distributed, which means for
the GPL it's a total non-issue.

The OpenSSL licence on the other hand wants any advertising material
of any application mentioning the use of SSL to include the
acknowledgement. This would include flyers printed for a conference, or
the label of the CD that contains it.

Surely you can see the difference?

> Curiously, every single GPL-license web browser in the world uses
> libjpeg. Until I see a widespread willingness to remove JPEG support in
> GPL-licensed software, and/or somebody providing a pure-GPL replacement
> for libjpeg, I am not going to take this argument seriously. There is
> exactly zero meaningful difference between the libjpeg license terms and
> the OpenSSL terms, but where is the pushback on libjpeg? I have not
> seen any, in all the years I worked on that project.

Because there is a very large, very meaningful difference.

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.

* Martijn van Oosterhout (kleptog(at)svana(dot)org) wrote:
> On Fri, Dec 29, 2006 at 12:08:37AM -0500, Tom Lane wrote:
> > libjpeg, my other major open-source project, has always been shipped
> > under a BSD-ish license that includes an "advertising" clause; I quote:
> >
> > : (2) If only executable code is distributed, then the accompanying
> > : documentation must state that "this software is based in part on the work of
> > : the Independent JPEG Group".
>
> That's not an advertising clause, that merely asks that it be mentioned
> somewhere in the documentation, which is copied along with the rest of
> the code, so that's not limiting the redisitribution of anything. It
> also only applies when the source is not distributed, which means for
> the GPL it's a total non-issue.

Exactly. There isn't a "only executable code is distributed" case when
GPL code is involved so that clause wouldn't ever apply.

> Because there is a very large, very meaningful difference.

Agreed.

Thanks,

Stephen

On Fri, Dec 29, 2006 at 08:31:34PM +1300, Mark Kirkwood wrote:
> mark(at)mark(dot)mielke(dot)cc wrote:
> >I will try again. It is a difficult subject for many.
> >GPL software derived from PostgreSQL must honour the restrictions defined
> >by the PostgreSQL (BSD) license.
> >GPL software derived from OpenSSL must honour the restrictions defined
> >by the OpenSSL license.
> >What is the difference? Do you see it? You speak of "compatibility" as
> >if it means that the above are different in some technical way. They
> >are NOT different. Just because the GPL >= the PostgreSQL license,
> >does not allow you to disobey the PostgreSQL license restrictions. You
> >*cannot* release your entire derived GPL product as GPL, if it is
> >distributed with PostgreSQL. The PostgreSQL component retains the
> >PostgreSQL licensing restrictions, The GPL restrictions do not
> >supercede or replace the PostgreSQL component and there is NOTHING the
> >GPL can do to change this.
> I think the issue revolves around the conditions that GPL stipulates
> about "linking against" libraries requiring the entire product to be
> *distributed* as GPL, even if components have differing licenses. This
> is the so-called "viral" clause that gets much attention!

*nod*

This is what people are thinking. It's about direction where the grey zone
starts to occur. GPL is viral in that a GPL-derived product must be GPL.

We're not talking about including GPL code in OpenSSL, though. This is
about OpenSSL as the base library. The GPL cannot stipulate that a GPL
program may only be linked against GPL libraries, or used on a GPL
operating system, on GPL hardware. For example, if GNU coreutils is
compiled for HP-UX. This is "linking against" software that is much
more restrictive than the OpenSSL license. Is Stephen, or the people
whose opinion he is repeating, going to claim that the FSF considers
this an illegal distribution of GNU coreutils?

The GPL can only require that any product *derived* from the work
licensed with the GPL, only be derived from by products which are
themselves GPL.

I'm not that stunned that this is confusing to people. There is so much
invalid information available, and most of us try to stay away from law
as much as possible. It can be overwhelming. :-)

> Now as Tom pointed out, I dunno why OpenSSL suddenly gets so much
> attention, but anyway, just trying to clarify why *in principle* that
> Stephen F is talking about a valid *possible* interpretation of the
> licensing maze...

*nod*

Thanks for the input.

Cheers,
mark

--
mark(at)mielke(dot)cc / markm(at)ncf(dot)ca / markm(at)nortel(dot)com __________________________
. . _ ._ . . .__ . . ._. .__ . . . .__ | Neighbourhood Coder
|\/| |_| |_| |/ |_ |\/| | |_ | |/ |_ |
| | | | | \ | \ |__ . | | .|. |__ |__ | \ |__ | Ottawa, Ontario, Canada

One ring to rule them all, one ring to find them, one ring to bring them all
and in the darkness bind them...

http://mark.mielke.cc/

On Fri, Dec 29, 2006 at 09:52:08AM -0500, mark(at)mark(dot)mielke(dot)cc wrote:
> > I think the issue revolves around the conditions that GPL stipulates
> > about "linking against" libraries requiring the entire product to be
> > *distributed* as GPL, even if components have differing licenses. This
> > is the so-called "viral" clause that gets much attention!

> We're not talking about including GPL code in OpenSSL, though. This is
> about OpenSSL as the base library. The GPL cannot stipulate that a GPL
> program may only be linked against GPL libraries, or used on a GPL
> operating system, on GPL hardware. For example, if GNU coreutils is
> compiled for HP-UX. This is "linking against" software that is much
> more restrictive than the OpenSSL license. Is Stephen, or the people
> whose opinion he is repeating, going to claim that the FSF considers
> this an illegal distribution of GNU coreutils?

No, because that falls under the "operating system" exception.
Additionally, "linking against" is no problem. It's *distributing* the
"linked against" version that gets you in trouble.

The GPL doesn't care about *use*, only about distribution.

> The GPL can only require that any product *derived* from the work
> licensed with the GPL, only be derived from by products which are
> themselves GPL.

Correct. Additionally it can require that when you *distribute* that
compiled GPL program (the compiled version being a derived work of the
source), you provide the source to all the libraries used while running
it (barring the operating system exception). It couldn't care less what
licence is used by those libraries, as long as that licence is
compatable with the requirements the GPL has of the source (which is
not that the source must be GPL.

> I'm not that stunned that this is confusing to people. There is so much
> invalid information available, and most of us try to stay away from law
> as much as possible. It can be overwhelming. :-)

The reason this issue is confusing is because it's nobodies fault.
PostgreSQL by itself, no problem. Exim by itself, no problem. OpenSSL,
by itself, no problem. It's only when Debian want's to *distribute* a
compiled version of Exim linked against libpq while simultaneously
complying with all the licences.

Now Exim has granted an exception that gets Debian off the hook, but
they didn't have to do that.

> > Now as Tom pointed out, I dunno why OpenSSL suddenly gets so much
> > attention, but anyway, just trying to clarify why *in principle* that
> > Stephen F is talking about a valid *possible* interpretation of the
> > licensing maze...
>
> *nod*

OpenSSL is a very different beast and one of very very few packages
with this problem. See my other message.

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.

* mark(at)mark(dot)mielke(dot)cc (mark(at)mark(dot)mielke(dot)cc) wrote:
> GPL software derived from PostgreSQL must honour the restrictions defined
> by the PostgreSQL (BSD) license.
>
> GPL software derived from OpenSSL must honour the restrictions defined
> by the OpenSSL license.

You're talking about GPL software as if it's an entity to which licenses
can be granted and that's just not the case. Licenses are granted to
invidividuals and it's certainly possible that a license can say "You
can distribute this code all you want, except if you put xyz on the same
CD as this code, because I don't like xyz". It's not at all uncommon
for licenses to be incompatible because when all is said and done all of
the licenses involved in a given applicaiton must be satisfied for the
application to be distributed.

In other words, to distribute exim4 the licenses of the following pieces
must all be satisfied:
exim4 itself (GPL)
libc6 (LGPL)
- tzdata ('public domain')
libdb4.3 (Kind of a BSD/GPL mix - Sleepycat, and newBSD for some parts)
libgnutls13 (LGPL)
- libgcrypt11 (LGPL, GPL for documentation)
- libgpg-error0 (LGPL)
- liblzo1 (GPL)
- libopencdk8 (GPL)
- libtasn1-3 (LGPL)
- zlib1g (BSDish)
libldap2 (BSDish - OpenLDAP, LGPL, BSDish - CRL, FSF Makefile.in,
BSDish - HC, BSDish - IBM, IS RFC license, BSDish - ISC, BSDish - JC,
BSDish - MA, BSDish - MIT, BSDish - PM, BSD w/ advertising clause from
UoC with a note that the advertising clause was retroactively removed
by UoC, BSD - UoC, BSDish - UoM with clarification from the OpenLDAP
foundation)
- libsasl2 (BSDish)
libmysqlclient15off (GPL)
- mysql-common (GPL)
libpam0g (BSDish)
- libpam-runtime (BSDish)
libpcre3 (BSDish or GPL if embedded with GPL software)
libperl5.8 (GPL or Artistic)
- perl-base (GPL or Artistic)
libpq4 (BSD)
- libcomerr2 (BSDish)
- libkrb53 (BSDish)
- libssl0.9.8 (BSD w/ advertising clause)
libsasl2-2 (BSDish)
- libdb4.4 (Kind of a BSD/GPL mix - Sleepycat, and newBSD for some
parts)
libsqlite3-0 ('public domain')
debconf (BSDish)

If any of these aren't satisfied then the resultant work can't be
distributed (that's the way copyright works, by default you have no
rights, at least here anyway, aiui).

> What is the difference? Do you see it? You speak of "compatibility" as
> if it means that the above are different in some technical way. They
> are NOT different. Just because the GPL >= the PostgreSQL license,
> does not allow you to disobey the PostgreSQL license restrictions. You

I never said anything about obeying or disobeying the PostgreSQL
license.

> *cannot* release your entire derived GPL product as GPL, if it is
> distributed with PostgreSQL. The PostgreSQL component retains the
> PostgreSQL licensing restrictions, The GPL restrictions do not
> supercede or replace the PostgreSQL component and there is NOTHING the
> GPL can do to change this.

An application can be released under more than one license. The GPL
understands this and doesn't say "everything must be GPL!", it says that
those other licenses can't add any restrictions *beyond* those in the
GPL. The PostgreSQL license doesn't, so there isn't a problem with
combining Postgres (by itself) and GPL programs.

> > > It's silliness. If you redistribute OpenSSL, you honour the OpenSSL
> > > requirements. That's the *only* requirement by copyright law. It doesn't
> > > matter if it is GPL on top, or not. You always honour each license.
> > The GPL says you can't combine GPL code with code which has additional
> > requirements and then distribute the result.
>
> The GPL *cannot* say this. The GPL *cannot* define how OpenSSL can or
> cannot be used. Only the OpenSSL license can define how OpenSSL is
> allowed to be distributed or used once distributed.

Yeah, uh, licenses can say pretty much whatever they want and if you
don't follow them then you're not allowed to distribute it, that's the
way it works. The GPL doesn't define how OpenSSL can be distributed,
no, but what it *does* say (which it certainly can) is that you can't
distribute the *GPL* code when combined with the *OpenSSL* code, and
since the application is comprised of both you're SOL.

> You are looking at it from the wrong direction. The GPL can prevent
> *GPL-derived* works from being non-GPL. The GPL CANNOT prevent one
> from deriving from non-GPL works. Take some time to read this a few
> times if you need to. The difference is HUGE.

You're trying to make a distinction that the direction of the dependency
makes a difference. The problem is that there is no 'direction'. The
resulting application is built from both, and the resulting application
is what we're talking about. It doesn't matter that OpenSSL is lower or
higher on the call stack.

> It would be ridiculous for it to be different. If it was different, it
> would require all software to have exactly equivalent licenses in
> order to be integrated. Insanity. Any lawyer who would claim this
> should lose their license to practice law.

No, not equivalent, compatible, exactly as I said previously and showed
above. If I purchase the rights to three books under three different
licensing agreements and then combine them, verbatim, into a larger
book, you think that I don't have to follow the licenses under which I
obtained the rights to distribute them? What if those licenses say "you
can't distribute this work as part of another work"? You think I can
just ignore that? The only reason I have any rights at all is because
of the license which grants me the rights, and that license can dictate
the terms of that grant.

> I'll state again - there is no such thing as *compatibility* in the
> sense you are using it. If they were fully compatible, they would have
> the exact same effect. The PostgreSQL license is *not* compatible with
> GPL in the sense that they can be interchanged. Read the following
> snip from the PostgreSQL license, which is incompatible with the GPL
> license:

Being compatible certainly doesn't require they have the same effect, it
just requires that a work comprised of both can be distributed in such a
way as to satisfy the requirements of both.

> "Permission to use, copy, modiy, and distribute ... provided that
> the above copyright notice and this paragraph and the following two
> paragraphs appear in all copies."
>
> A distribution that includes GPL software and PostgreSQL software *must*
> include both the GPL license, and the PostgreSQL license. This is an
> additional "incompatible" restriction with the GPL. The advertising
> clause of the OpenSSL license is a second such restriction. It is not
> the first such restriction as some people are trying to make it appear.

Right, the GPL says you have to include the license, so including the
license for PostgreSQL *isn't* a new restriction that the GPL doesn't
have. The problem is *exactly* that the OpenSSL license has a
restriction above and beyond that.

> > So, Debian is distributing an application (exim4 w/ libpq & libssl)
> > which includes GPL code (exim4) combined with code under another license
> > (BSD w/ advertising clause) which *adds additional restrictions* (the
> > advertising clause) over those in the GPL, which is against the terms of
> > the GPL. It's *Debian's* problem, but *PostgreSQL* can solve it by
> > providing the option to link against GNUTLS instead.
>
> There is no problem above. Debian must honour all licenses for all
> software components. There is no need for an exemption, or an OpenSSL

Exactly! We have to honor them *all*, and it makes no difference the
order in which things appear.

> exception clause. If OpenSSL is included within Debian, than the
> Debian distribution should include an attribution to it in the Debian
> documentation, and the OpenSSL LICENSE file should be stored somewhere
> in the file system.

Certainly.

> If there is a problem, feel free to describe the actual points of
> conflict, using wording from the licenses itself. You are talking
> about a theoretical issue that I you have not shown to exist. Drawing
> ascii pictures doesn't substantiate your claim. The choice to use the
> GPL as the license for a product cannot stop the product from being
> derived from a non-free work. Richard Stallman's virus cannot prevent
> people from using non-GPL base software. He can *ONLY* prevent people
> from deriving from GPL software. Again, read this a few
> times. Legally, it can only go in one direction.

The issue is that the application is exactly that derivation which
combines both GPL code and code under other licenses (which needs to
then be GPL compatible or the resulting application can't be
distributed).

> If Richard Stallman wants to say that no part of his GNU system will
> make use of non-GPL software, that is his choice. He cannot tell the
> authors of other software what they can or cannot derive from. Only
> the license of the product being derived from can tell the author
> what they are allowed to do. Richard Stallman / GPL is not in the
> picture.
>
> The truth here, as I see it, is that Richard Stallman wants people
> who use the GPL, to believe in his political ideal, and choose to
> only use GPL software wherever possible, to allow his agenda to be
> achieved as quickly as possible. For GPL software to be legally
> derived from non-GPL software prevents his political ideal from
> ever being fully achieved. This is why people are trying to make
> open source hardware, and open source drivers for hardware. The
> dream is to have a complete software stack that is all guaranteed
> to be free to use, and free to derive from. It really is a dream.
>
> I don't share this dream.

I couldn't care less two whits about what Stallman wants, honestly. The
issue I'm trying to deal with is that Debian, being perhaps overly
cautious as they tend to be, has an interpretation (which makes quite
reasonable sense to me anyway) of the GPL which makes GPL applications
using OpenSSL a problem. While we've been working to get authors of
such applications to add exeptions for OpenSSL, projects which provide
the option to use GNUTLS can reduce the amount of work considerably.

> > > 2) Explicitly stating an OpenSSL "exception" is not a legal requirement.
> > > It is not possible for any derived product to "except" conditions
> > > for OpenSSL. OpenSSL defines its *own* license. You cannot modify it,
> > > which means that the GPL cannot reduce its significance, nor can an
> > > explicit exception claus increase its significance. OpenSSL
> > > distribution rights are defined by the OpenSSL license. Full stop.
> > In the case above, exim4 *can* provide an exception because it's the
> > *GPL* of *exim4* which is being violated by the advertising clause in
> > the *OpenSSL* license. Which exim4 upstream has *done*, and which can
> > be seen in their license (linked to previously in this thread). There
> > are a number of other GPL'd applications which have done this, mostly
> > (if not completely) at the prodding of Debian (bacula being another
> > which comes to mind).
>
> No. It's because of the FUD surrounding the issue. People would rather
> submit, and write an exception clause, than argue, or risk having to
> square off against a lawyer. Existence of the clause does not prove that
> the clause is necessary, or that it has any legal weight. It only proves
> that one or more people were convinced that it wouldn't hurt.
>
> I think it hurts everyone to submit to FUD, no matter if the FUD is
> from Microsoft, or from the FSF. I believe that people should be making
> choices based on knowledge, and understanding, than because of fear or
> uncertainty.

I really have no idea where you get the idea that there is FUD going on.
FUD means that there's some implication of risk on the person being
asked to do something. That's simply not the case here- there's no risk
to PostgreSQL, or to exim4 in the above case, or pretty much to anyone
except distributions like Debian and even that's pretty minimal.
Debian's certainly not going around saying "if you don't do this,
lawyers will come after you!" because it doesn't make any *sense*. It's
more like "if you don't do this then we're worried you might some day
decide to sue us over it". While the exim or other folks might have
decided it's easier to just add the exception than to argue over it that
doesn't imply there was FUD involved.

> > > Exception clause or not, every author of a derived works that makes
> > > use of it, should understand their *obligation* to honour any and
> > > all licenses for any derived software. GPL, LGPL, OpenSSL, Apache,
> > > whatever. The exception clause is making this obvious. It has no
> > > legal weight.
> > Given that I think your premise above is wrong I won't bother argueing
> > against conclusions you draw from it.
>
> Where are the words in the GPL that you think make your case? I haven't
> seen them in this thread. I've seen references to the thinking of other
> people, mostly people who have an FSF agenda to maintain. Where are the
> words? Is it all hearsay?

b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
...
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote
it.

Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.

> > > No. The GPL is allowed to do whatever it wants. What it wants, is to
> > > achieve Richard Stallman's vision of software communism. What the GPL
> > > cannot do is say whether you can, or cannot use OpenSSL. Only OpenSSL
> > > can say whether you can or cannot use OpenSSL.
> > This isn't about whether you can use or cannot use OpenSSL. It's about
> > if you're allowed to distribute GPL applications which are linked to
> > OpenSSL without violating the terms of the GPL. *This is not about
> > distributing OpenSSL*.
>
> It is ONLY about distributing OpenSSL. GPL applications can CERTAINLY
> link against a legally distributed and used OpenSSL without violating
> the GPL.

Uhm, yeah, so, no, that'd be exactly the problem, heh.

> I think you are confusing the intent of Richard Stallman in authoring
> the GPL, with any legal weight the GPL actually has. One is about the
> dream. The other is about what the countries we live in, allow to be
> written on paper.

I think you're confusing the issues. :)

> Find words in the GPL that prevent one from choosing to use the GPL as
> the license for your software, even if your software legally links
> against a non-GPL product. I assume you are aware that GPL software is
> often compiled using proprietary compilers and linkers, and linked
> with proprietary system libraries, and executed on proprietary
> operating systems, running on proprietary hardware. Will you claim
> that this violates the GPL as well?

The GPL has an explicit exception for this, as I mentioned previously..
Given the nature of Debian I don't think it'd work for them though.

> > > They're entirely different discussions. One is about politics. One is
> > > about practical application.
> > >
> > > With regard to practical application, I agree with you.
> > >
> > > With regard to giving in to legal FUD, I feel it is my duty to stand up
> > > to it as best as I can, to prevent it from becoming widely accepted.
> > > Nothing personal, and we're both entitled to our own opinions on the matter.
> > > You expressed yours. I've expressed mine. Hopefully truth is found from
> > > the reading of both.
>
> > The problem is that you're not standing up to FUD, you seem to be
> > arguing about something completely seperate from the issue that I've
>
> I am *only* standing up to the FUD. Your points a), and b) below are
> practical issues. The FUD is about people repeating fear and uncertainty
> to open source project mailing lists all over the world.

While I appriciate your enthusiasm to counter FUD, I'm pretty much
convinced that it's rather misplaced here.

> On practical issues, my opinion might be quite different. I'll offer
> them below, although after how you've responded to my other opinions,
> I'll assume you might not care to read them... :-)

<Shrug>

> > brought up. I can understand Tom's point, or Andrew's point, that this
> > might not be an issue because of any number of reasons which might
> > include:
> > a) technically the program isn't linked till it's own the user's
> > computer (personally I don't feel that removes the GPL
> > requirements though I've heard it claimed)
>
> My opinion: If distributed in binary form, than the distribution
> itself must obey the OpenSSL restrictions. This includes ensuring that
> documentation for the distribution includes an attribution to the
> OpenSSL project, and ensuring that the OpenSSL license is included
> in the distribution.
>
> If the user downloads PostgreSQL and OpenSSL separately, and then uses
> both legally, linking them together, no distribution has occurred. As
> copyright law is about distribution, copyright law cannot prevent one
> from linking the pieces together at compile time or run time. If the
> user distributes the binary image, then this goes back to the previous
> paragraph.
>
> Some lawyer might be able to convince a judge that PostgreSQL requires
> OpenSSL to operate, and therefore, PostgreSQL is a fully derived work,
> and not including OpenSSL does not free the PostgreSQL owners of
> responsibility. The case seems pretty shaky, though, and OpenSSL is
> not a required component of PostgreSQL.

I'm not advocating this, heh. This hasn't got anything to do w/
distributing PostgreSQL or OpenSSL by themselves but rather distributing
them when combined with a GPL licensed application.

> > b) The GPL application doesn't link *directly* to OpenSSL and the level
> > of indirection means the GPL application doesn't *depend* on OpenSSL,
> > which means it's not a derivative (imv, this isn't very far removed
> > from 'a', but I can see some distinction)
>
> My opinion: Not different from 'a' at all. GPL applications can be
> legally derived from non-GPL applications. The license restriction of
> the product that is being derived from determine whether the
> derivation is legal or not. Richard Stallman doesn't want people to do

Exactly, GPL code and non-GPL code can end up in the same binary but to
be legally distributed the licenses of both have to be satisfied.

> this, because it hurts his cause, but legally, he can't stop them,
> as it is a necessary part of life with software. The product is always
> derived from at least one non-GPL product, even if only the hardware
> that it sits on. That is, until the FSF achieves its agenda of having
> a 100% GPL system....

As I mentioned, the GPL has an explicit exception for the OS:
However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.

The reason this doesn't really work for Debian is that the whole thing
is distributed together, not seperately (at least in some cases).

> > c) Authors of GPL code are very unlikely to prosecute such a claim
> > since OpenSSL *is* OSS and does abide by the DFSG (I wonder if the
> > FSF might find someone some day willing to, though they might not be
> > insterested due to possible bad press, who knows...)
>
> My opinion: This usually takes the form of 1) somebody forgetting to
> honour a part of the license, 2) somebody pointing it out, 3) somebody
> grudingly obeying. This might be a GPL-derived product that was released
> from the authors as binary only, where the software is grudingly released
> upon request (perhaps request by the FSF). This might be an OpenSSL-derived
> product that was released from the authors without attributing OpenSSL
> in the documentation, in which case they add a note in the documentation.
> This could be a BSD-derived product that forgets to include a copy of
> the BSD license in the distribution, in which case the license is
> grudingly added back.
>
> It doesn't matter what the license is. People know they should honour
> the license. Ignorance is not an excuse. Choosing to ignore the license
> is not honourable.

heh, and that's exactly what Debian is trying it's best to do.

> > d) PostgreSQL can be configured to not use SSL when it ships and
> > therefore as shipped there isn't a problem (again, kind of a stretch)
>
> This goes back to a). If the distribution includes OpenSSL, it must
> honour the OpenSSL license. If PostgreSQL is not shipped with OpenSSL,
> but allows it to be linked with OpenSSL, than the responsibility is
> moved to the person who links the application and redistributes the
> linked application. If the end user does it, then it is not a
> redistribution, so copyright law cannot apply.

Sure, but Debian does it and then distributes the results and so has to
deal with all of the licenses, and, yes, how they interact with each
other.

> > e) The GPL doesn't apply to shared library linking
>
> My opinion: I don't think this is true. LGPL doesn't apply to shared
> library linking. GPL does.

I don't think it's true either, I was listing reasons why some might
feel this isn't an issue (and noting that your claims weren't among
them).

> > f) The OpenSSL falls under the 'distributed with the OS' clause of the
> > GPL and therefore it isn't a problem that there are additional
> > restrictions in its license (probably the most practical argument,
> > but not sure it'd hold up when that'd basically make all of Debian
> > exempt since it can all be considered 'part of the OS'...)
>
> My opinion: Same as a). The responsibility is moved to the distributor.
> The OS distribution must honour the license.

Exactly, that's what Debian's trying to do.

> > Your comments above about a PostgreSQL obligation just don't make sense
> > and so I have to conclude that you don't understand the issue, which may
> > be my fault for not explaining it clearly enough but there's only so
> > much I can do.. Hopefully this will help...
>
> I think we've both concluded that the other person doesn't understand the
> issue. Although it may be clear to you or I that the other is wrong, I
> think the strength of the arguments will stand on their own as to whether
> other people choose to believe you, I, or some third interpretation.

In the end I'd have to defer to the folks on debian-legal and the Debian
ftpmasters and mirror operators. In the end I think that their
interpretation is the correct one but I wasn't the one who originally
thought this all through.

> I've tried not to be presuming. I ask of you the same.

Sorry for being presuming but I'm honestly suprised that there was
really a question about what happens when a GPL application is combined
with other non-GPL code. I suppose being part of Debian I've gotten
used to people being familiar with Debian's take on it.

Thanks,

Stephen

* Martijn van Oosterhout (kleptog(at)svana(dot)org) wrote:
> On Fri, Dec 29, 2006 at 09:52:08AM -0500, mark(at)mark(dot)mielke(dot)cc wrote:
> > We're not talking about including GPL code in OpenSSL, though. This is
> > about OpenSSL as the base library. The GPL cannot stipulate that a GPL
> > program may only be linked against GPL libraries, or used on a GPL
> > operating system, on GPL hardware. For example, if GNU coreutils is
> > compiled for HP-UX. This is "linking against" software that is much
> > more restrictive than the OpenSSL license. Is Stephen, or the people
> > whose opinion he is repeating, going to claim that the FSF considers
> > this an illegal distribution of GNU coreutils?
>
> No, because that falls under the "operating system" exception.
> Additionally, "linking against" is no problem. It's *distributing* the
> "linked against" version that gets you in trouble.
>
> The GPL doesn't care about *use*, only about distribution.

Right, if you actually distributed GNU coreutils *and* HP-UX together as
an application, then, yes, that'd be a violation because of the
additional restrictions put on the result by the HP-UX license. If you
distributed GNU coreutils by itself but compiled to run on HP-UX systems
then that's *not* a violation because the HP-UX code isn't being
distributed as part of the application, even though it's linked against
on the resultant system.

> > The GPL can only require that any product *derived* from the work
> > licensed with the GPL, only be derived from by products which are
> > themselves GPL.
>
> Correct. Additionally it can require that when you *distribute* that
> compiled GPL program (the compiled version being a derived work of the
> source), you provide the source to all the libraries used while running
> it (barring the operating system exception). It couldn't care less what
> licence is used by those libraries, as long as that licence is
> compatable with the requirements the GPL has of the source (which is
> not that the source must be GPL.

Right.

> > I'm not that stunned that this is confusing to people. There is so much
> > invalid information available, and most of us try to stay away from law
> > as much as possible. It can be overwhelming. :-)
>
> The reason this issue is confusing is because it's nobodies fault.

Yeah. :( Makes it more frustrating when trying to explain it to people
too.. "It's nothing you did, but..."

> PostgreSQL by itself, no problem. Exim by itself, no problem. OpenSSL,
> by itself, no problem. It's only when Debian want's to *distribute* a
> compiled version of Exim linked against libpq while simultaneously
> complying with all the licences.

(and then having libpq linked against OpenSSL)

> Now Exim has granted an exception that gets Debian off the hook, but
> they didn't have to do that.

Right. If they didn't then it's conceivable that Exim could sue Debian
for violating the GPL license. Not exactly likely to happen but being
cautious it's best to get their explicit approval rather than playing
the "well, we'll just wait and see if they sue us" game.

> > > Now as Tom pointed out, I dunno why OpenSSL suddenly gets so much
> > > attention, but anyway, just trying to clarify why *in principle* that
> > > Stephen F is talking about a valid *possible* interpretation of the
> > > licensing maze...
> >
> > *nod*
>
> OpenSSL is a very different beast and one of very very few packages
> with this problem. See my other message.

Yup. Thankfully... It'd be quite the headache if there were alot of
cases like this. :/

Thanks,

Stephen

Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:
> On Fri, Dec 29, 2006 at 12:08:37AM -0500, Tom Lane wrote:
>> libjpeg, my other major open-source project, has always been shipped
>> under a BSD-ish license that includes an "advertising" clause; I quote:
>>
>> : (2) If only executable code is distributed, then the accompanying
>> : documentation must state that "this software is based in part on the work of
>> : the Independent JPEG Group".

> That's not an advertising clause,

That's not a fact, that's an opinion, and unless you're a lawyer who's
studied the matter, I don't think your opinion carries much weight.
Admittedly mine doesn't either --- but the point here is that it's
extremely debatable whether there is any real difference between OpenSSL
and other projects that no one is complaining about.

regards, tom lane

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Martijn van Oosterhout <kleptog(at)svana(dot)org> writes:
> > On Fri, Dec 29, 2006 at 12:08:37AM -0500, Tom Lane wrote:
> >> libjpeg, my other major open-source project, has always been shipped
> >> under a BSD-ish license that includes an "advertising" clause; I quote:
> >>
> >> : (2) If only executable code is distributed, then the accompanying
> >> : documentation must state that "this software is based in part on the work of
> >> : the Independent JPEG Group".
>
> > That's not an advertising clause,
>
> That's not a fact, that's an opinion, and unless you're a lawyer who's
> studied the matter, I don't think your opinion carries much weight.

It doesn't say "All advertising materials ...", that makes it quite
different from the OpenSSL clause. It also has the 'if only executable
code is distributed' conditional, which the OpenSSL clause doesn't.
Sure, I'm not a lawyer, but I'd have a hard time believing the two
clauses so similar as to have the exact same effect with such
differences.

> Admittedly mine doesn't either --- but the point here is that it's
> extremely debatable whether there is any real difference between OpenSSL
> and other projects that no one is complaining about.

Each case is different and is considered seperately. I'm pretty
sure that the libjpeg case has been considered and was found to not be a
problem. While perhaps more cautious than most, Debian isn't actually
out to make all the world GPL or to attempt to brow-beat everyone into
following Stallman. We'd be perfectly happy for OpenSSL to just drop
that clause but otherwise leave the license as BSDish, or even to change
it to a clause such as that above (though if they can change the license
at all, seems like it'd be best to just drop it, but whatever). Were
that to happen we'd stop caring about using GNUTLS (at least, as a
project).

Thanks,

Stephen

On 12/29/06, Stephen Frost wrote:
> In the case above, exim4 *can* provide an exception because it's the
> *GPL* of *exim4* which is being violated by the advertising clause in
> the *OpenSSL* license. Which exim4 upstream has *done*, and which can
> be seen in their license (linked to previously in this thread).

My question is whom is going to sue whom? And if so would they win? And if
they win, will they win a crippling amount?

Will the folks at exim sue? Not likely, they make free software that is
DESIGNED to work with OpenSSL.

"Exim can be built to support encrypted SMTP connections... Before you can do
this, you must install the OpenSSL library, which Exim uses for this purpose."

Will they win if they sue? Not likely, there are probably lots of long legal
terms (like latches, estoppal) that can be used in a defense. You can't go and
build software specifically designed to use something, and over the course of
years dupe people into using it only to go, ta-da, busted for "additional GPL
restrictions".

And even if you succeed in this, you're not going to win big bucks. Perhaps
you can simply prevent people from using your software. Given that using your
software in the form you distribute it requires openssl, and you've sued
people for using openssl with it, it's likely *no one* is going to use your
software. And if you continue to dupe people into using your software and then
suing them, you'd run some legal risks yourself.

I mean, the theory of this legal case that debian people build seems terrible
to me!

Any case with this many highly unlikely AND clauses and such horrible outcomes
for everyone seems unlikely to happen AND be won AND result in significant harm.

If you don't like the advertising clause of openssl that is fine, avoid using
software that uses it etc etc. But I think the debian hype of various forms of
legal jeopardy goes a bit far, and does smell a bit FUDish.

Fun to follow though. And if there is a nice implementation of GNUTLS that
succeeds on the technical merits, no objection there either.

- August

> > Now Exim has granted an exception that gets Debian off the hook, but
> > they didn't have to do that.
> Right. If they didn't then it's conceivable that Exim could sue Debian
> for violating the GPL license. Not exactly likely to happen but being
> cautious it's best to get their explicit approval rather than playing
> the "well, we'll just wait and see if they sue us" game.

This is pure FUD, and unacceptable if spoken from a position of
authority. State what you think this theoretical case would be. At
least if you picked GPL including closed source code, you might be
able to claim that the resulting derived work was not distributed
complete with source code. OpenSSL, however, is open source. The only
possible complaint could be "you failed to advertise OpenSSL in the
resulting distributed image", which would be a correct observation,
easily corrected by the inclusion of a note in the documentation for
the distributed software unit that includes both pieces of software.
This correction is an existing requirement for any software
distribution that includes OpenSSL, It is an acceptable, and easily
honoured requirement.

Anybody who has a problem admitting that their software distribution
includes OpenSSL software in their documentation, has no sympathy from
me. Attribution is an acceptable right to enforce under copyright law,
and an honourable practice with or without a licensing requirement
explicitly stating this as a requirement.

Caution to the point of fantasy is a waste of resources. Caution to
further a political agenda (not you - but the people whose opinions you
are repeating) is exploitation.

I am unable to find a single clause in the GPL (which I have analyzed
many years ago, but also re-read several times in the last two days)
that would make it impossible to satisfy all of the GPL, PostgreSQL
(BSD) license, and the OpenSSL license at the same time. Every single
clause of all three licenses can be easily satisfied without conflict.
Those of you who are claiming otherwise, have failed to point to a
single phrase in the GPL that could not be satisfied when distributing
all three pieces of software as a single unit. Without a single point
of true conflict between all three licenses, I do not accept that
there is any case to require an OpenSSL exemption clause for
Debian. Those who are doing so are doing a disservice to everyone by
contributing to the general confusion on this subject. The clause is
not required. The clause has no effect.

To distribute a software unit that includes software from all of a
GPL product, PostgreSQL, and OpenSSL, one needs only do the following:

1) Documentation for the software unit should include documentation
to describe that the software includes OpenSSL.

2) The distribution of the software unit should include a text copy
of all three licenses.

3) Source code for the entire unit should be provided. I don't believe
the FSF can legally enforce this requirement, however, with
GPL + PostgreSQL + OpenSSL, there is *NO* conflict. The source code
for all three can be made available upon request, or contained within
the distribution.

4) Various other minor points, such as the requirement that changes
are dated and such. None of which conflict between the three licenses.

To state again. There is *NO* conflict between the licenses. The terms
of each can be fulfilled completely, and separately, without
invalidating each other. Those who claim otherwise need to point to a
specific requirement from one of the licenses that would prevent it
from being used. They cannot, because such a point does not
exist. Ascii pictures. Hearsay. Confusion regarding existing practice
or existing thoughts on the matter. No single point of conflict has
been raised. The GPL does not state that "GPL software may not derive
from software that has an advertising clause." Considering that this
is the primary point raised by people, it is ironic that the GPL has
no such restriction.

Be honest about it. *You* don't like the advertising clause. The GPL
has nothing to say on the issue, and therefore is *NOT* in conflict
with it.

This thread has re-enforced my conclusion that the GPL is a poor choice
of license for any product I ever work on in the future. A decade ago,
as a teenager, I thought it was cool to put GPL on the software that I
made available to the world. I felt like I was part of something bigger.
Now I just feel disgusted. The GPL is not about freedom. It is about
enforcing a world view on all who use your software.

Thank you PostgreSQL contributors for choosing the BSD style. I think
it was an excellent choice.

This is my last contribution to this thread. I've said my piece. Note
that I don't intend to convert all of you. As this issue is primarily
political, people will have a tendency to stay with their own camp,
regardless of what is said. We all have a tendencies to read each others
words, looking only for fault in what is said, purposefully choosing not
to assimilate the other persons contribution. It's called the "I am right
you are wrong" syndrome, and I'm not exempt from it.

I hope I provided value to this discussion. If not, I apologize.

Cheers,
mark

--
mark(at)mielke(dot)cc / markm(at)ncf(dot)ca / markm(at)nortel(dot)com __________________________
. . _ ._ . . .__ . . ._. .__ . . . .__ | Neighbourhood Coder
|\/| |_| |_| |/ |_ |\/| | |_ | |/ |_ |
| | | | | \ | \ |__ . | | .|. |__ |__ | \ |__ | Ottawa, Ontario, Canada

One ring to rule them all, one ring to find them, one ring to bring them all
and in the darkness bind them...

http://mark.mielke.cc/

* mark(at)mark(dot)mielke(dot)cc (mark(at)mark(dot)mielke(dot)cc) wrote:
> > > Now Exim has granted an exception that gets Debian off the hook, but
> > > they didn't have to do that.
> > Right. If they didn't then it's conceivable that Exim could sue Debian
> > for violating the GPL license. Not exactly likely to happen but being
> > cautious it's best to get their explicit approval rather than playing
> > the "well, we'll just wait and see if they sue us" game.
>
> This is pure FUD, and unacceptable if spoken from a position of
> authority. State what you think this theoretical case would be. At

I've made it clear previously, but sure, why not. The case would be
something along the lines of Exim sueing Debian for building a
derivative (Exim w/ OpenSSL) which violated the terms of distribution of
Exim (GPL) which means Debian would be breaking copyright law by
distributing the resulting application.

With copyright law you have to show that you *have* the right, and
anything which is done against the license which gives you that right
which nullifies the license means you don't get to distribute the work,
at all. There's really not a whole lot more to it than that, and
there's nothing FUDdy about it.

> least if you picked GPL including closed source code, you might be
> able to claim that the resulting derived work was not distributed
> complete with source code. OpenSSL, however, is open source. The only

The GPL requires more than just being 'open source'.

> possible complaint could be "you failed to advertise OpenSSL in the
> resulting distributed image", which would be a correct observation,

No, a complaint could be "you didn't honor the terms of the GPL under
which you received the rights to distribute the work."

> easily corrected by the inclusion of a note in the documentation for
> the distributed software unit that includes both pieces of software.
> This correction is an existing requirement for any software
> distribution that includes OpenSSL, It is an acceptable, and easily
> honoured requirement.

Yet *having* that requirement on a *derived work* which includes GPL
code is *against* the terms of the GPL. That's *exactly* the issue.
The GPL says more than "you must provide the source code to everything",
it explicitly includes a requirement that no additional restrictions be
put on the derivative (lest requirements for no-additional-distribution
or must-charge-for-other-distribution be added which defeats much of the
point of the GPL).

> Anybody who has a problem admitting that their software distribution
> includes OpenSSL software in their documentation, has no sympathy from
> me. Attribution is an acceptable right to enforce under copyright law,
> and an honourable practice with or without a licensing requirement
> explicitly stating this as a requirement.

That's nice, it's got nothing to do with the conversation at hand, and
might even be FUD based on how you've used that term previously. :)
It's certainly rather frustrating to get these constant attacks during
this conversation where you put up something I'm not advocating and then
say "only bad people would say such things!"

> Caution to the point of fantasy is a waste of resources. Caution to
> further a political agenda (not you - but the people whose opinions you
> are repeating) is exploitation.

I don't believe Debian has any kind of political agenda in this regard.
Debian's agenda is to follow the licenses as best it can. While that
may go beyond what others feel like doing it's a good goal to have.

> I am unable to find a single clause in the GPL (which I have analyzed
> many years ago, but also re-read several times in the last two days)
> that would make it impossible to satisfy all of the GPL, PostgreSQL
> (BSD) license, and the OpenSSL license at the same time. Every single
> clause of all three licenses can be easily satisfied without conflict.
> Those of you who are claiming otherwise, have failed to point to a
> single phrase in the GPL that could not be satisfied when distributing
> all three pieces of software as a single unit. Without a single point
> of true conflict between all three licenses, I do not accept that
> there is any case to require an OpenSSL exemption clause for
> Debian. Those who are doing so are doing a disservice to everyone by
> contributing to the general confusion on this subject. The clause is
> not required. The clause has no effect.

Well, I pointed it out to you before but you seem to have happily
ignored it so I'll provide it again here, perhaps more clearly:

---
But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote
it.
---

---
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
---

There you have it. "You may not impose any further restrictions on the
recipients' exercise of the rights granted herein." That's exactly what
the OpenSSL advertising clause does- imposes a further restriction on
the execricse of the rights granted. That's exactly what makes
distributing a whole (comprised of both GPL'd code and OpenSSL) which
grants the permissions for other licensees in the GPL without further
restriction impossible.

> been raised. The GPL does not state that "GPL software may not derive
> from software that has an advertising clause." Considering that this
> is the primary point raised by people, it is ironic that the GPL has
> no such restriction.

Erm, it doesn't need one, it's got a blanket statement, as quoted above.

> Be honest about it. *You* don't like the advertising clause. The GPL
> has nothing to say on the issue, and therefore is *NOT* in conflict
> with it.

See above, heh.

> This thread has re-enforced my conclusion that the GPL is a poor choice
> of license for any product I ever work on in the future. A decade ago,
> as a teenager, I thought it was cool to put GPL on the software that I
> made available to the world. I felt like I was part of something bigger.
> Now I just feel disgusted. The GPL is not about freedom. It is about
> enforcing a world view on all who use your software.

Yay, so you don't like the GPL, doesn't sound like it's got alot to do
with what I like or don't after all. :)

> Thank you PostgreSQL contributors for choosing the BSD style. I think
> it was an excellent choice.

I'm a fan of newBSD (w/o the advertising clause) myself, actually. :)

Thanks,

Stephen

> > Caution to the point of fantasy is a waste of resources. Caution to
> > further a political agenda (not you - but the people whose opinions you
> > are repeating) is exploitation.
>
> I don't believe Debian has any kind of political agenda in this regard.
> Debian's agenda is to follow the licenses as best it can. While that
> may go beyond what others feel like doing it's a good goal to have.

Actually everything about Debian (the project) is a political agenda.
That doesn't mean that it is invalid though.

That being said, this topic is WAY OFF-TOPIC for the discussion. The
discussion is:

Will we accept GNU TLS.

Currently there has not been one technical argument that is valid to
have us include GNU TLS.

Now is their a legal argument? Maybe, but until an *attorney* states
that there is an issue this is all m00t.

Speaking of which I am going to bounce of to SPI and see if we can get
an actual answer to this.

Sincerely,

Joshua D. Drake

--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

* August Zajonc (augustz(at)augustz(dot)com) wrote:
> On 12/29/06, Stephen Frost wrote:
> > In the case above, exim4 *can* provide an exception because it's the
> > *GPL* of *exim4* which is being violated by the advertising clause in
> > the *OpenSSL* license. Which exim4 upstream has *done*, and which can
> > be seen in their license (linked to previously in this thread).
>
> My question is whom is going to sue whom? And if so would they win? And if
> they win, will they win a crippling amount?
>
> Will the folks at exim sue? Not likely, they make free software that is
> DESIGNED to work with OpenSSL.

I don't see that anyone is all that terribly *likely* to sue. Even so,
it's best to follow the licenses under which we receive the rights to
distribute the software as best we can. I can't say if they chose to
sue if they'd win or not, I'd tend to doubt it based on such claims as
those you describe but that doesn't mean I'm really all that anxious to
actually find out for sure.

> "Exim can be built to support encrypted SMTP connections... Before you can do
> this, you must install the OpenSSL library, which Exim uses for this purpose."
>
> Will they win if they sue? Not likely, there are probably lots of long legal
> terms (like latches, estoppal) that can be used in a defense. You can't go and
> build software specifically designed to use something, and over the course of
> years dupe people into using it only to go, ta-da, busted for "additional GPL
> restrictions".

No, Exim may have been a poor choice as an example, there's other GPL
software which doesn't use OpenSSL directly but which does link against
libpq. Even so though, our goal is to follow the licenses as best we
can, not try to justify not following our understanding of the license
based on the likelihood of a successful suit.

> And even if you succeed in this, you're not going to win big bucks. Perhaps
> you can simply prevent people from using your software. Given that using your
> software in the form you distribute it requires openssl, and you've sued
> people for using openssl with it, it's likely *no one* is going to use your
> software. And if you continue to dupe people into using your software and then
> suing them, you'd run some legal risks yourself.

Unfortuantely, for many of us, just having to deal with a court at all
implies a 'big bucks' cost.

> I mean, the theory of this legal case that debian people build seems terrible
> to me!
>
> Any case with this many highly unlikely AND clauses and such horrible outcomes
> for everyone seems unlikely to happen AND be won AND result in significant harm.
>
> If you don't like the advertising clause of openssl that is fine, avoid using
> software that uses it etc etc. But I think the debian hype of various forms of
> legal jeopardy goes a bit far, and does smell a bit FUDish.

It'd only be jeopardy for Debian in any case... We'd just like to avoid
the possibility by following the licenses as best we understand them.
As for my personal feeling on the advertising clause, I'm not really a
fan of it but at the same time it doesn't bother me all that much. We
havn't got any choice if we want to use PostgreSQL w/ SSL though, do we?

> Fun to follow though. And if there is a nice implementation of GNUTLS that
> succeeds on the technical merits, no objection there either.

As I posted about elsewhere, there are features in GNUTLS which aren't
in OpenSSL, and vice-versa, along with claims of speed improvments from
one over the other depending on platform. Also as mentioned last time
this was brought up, GNUTLS is being used in quite a few different areas
of Debian and has proven to work quite reasonably.
(http://www.webservertalk.com/archive307-2006-4-1456230.html)

Thanks,

Stephen

* Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> Actually everything about Debian (the project) is a political agenda.
> That doesn't mean that it is invalid though.

*smirk

> That being said, this topic is WAY OFF-TOPIC for the discussion. The
> discussion is:
>
> Will we accept GNU TLS.
>
> Currently there has not been one technical argument that is valid to
> have us include GNU TLS.

Well, perhaps you weren't following everything but I did try to bring up
a couple points about GNUTLS vs. OpenSSL which I'll mention again here
where more people might actually notice it, heh:

OpenSSL has more features and some niceties like the TLS_CACERTDIR
(I've asked for this in GNUTLS, actually, so it might have it soon)
They can each be faster than the other in some instances
(I'm not sure which though, I've heard of 15% differences in each
direction depending on architecture though)
GNUTLS has a nicer/better API
GNUTLS has a smaller memory footprint
OpenSSL is working to get NIST certification/approval
(it had it, but then lost it for some reason and they're working to
get that fixed)
GNUTLS has better documentation

Actually, from a comparison done for libcurl (which supports both):

GnuTLS vs OpenSSL
While these two libraries offer similar features, they are not equal. Both
libraries have features the other one lacks. libcurl does not (yet) offer a
standardized stable ABI if you decide to switch from using libcurl-openssl to
libcurl-gnutls or vice versa. The GnuTLS support is very recent in libcurl
and it has not been tested nor used very extensively, while the OpenSSL
equivalent code has been used and thus matured for more than seven (7)
years.

GnuTLS
- LGPL licensened
- supports SRP
- lacks SSLv2 support
- lacks MD2 support (used by at least some CA certs)
- lacks the crypto functions libcurl uses for NTLM

OpenSSL
- Original BSD licensened
- lacks SRP
- supports SSLv2
- older and more widely used
- provides crypto functions libcurl uses for NTLM
- libcurl can do non-blocking connects with it in 7.15.4 and later

That was from May 15, 2006:
http://curl.mirrors.cyberservers.net/legal/distro-dilemma.html

Regarding SSLv2 support, the GNUTLS page has this:

Support for TLS 1.1, TLS 1.0 and SSL 3.0 protocols

* Since SSL 2.0 is insecure it is not supported.
* TLS 1.2 is supported in the experimental branch.

> Now is their a legal argument? Maybe, but until an *attorney* states
> that there is an issue this is all m00t.
>
> Speaking of which I am going to bounce of to SPI and see if we can get
> an actual answer to this.

That would be interesting to find out. I'm kind of suprised it wasn't
brought up before so that we could say "well, from our understanding of
what our lawyer said..." or something along those lines.

Thanks,

Stephen

On Fri, Dec 29, 2006 at 10:32:34AM -0800, Joshua D. Drake wrote:
> Currently there has not been one technical argument that is valid to
> have us include GNU TLS.

1) The normal freedom that not being tied down to a single product
provides. The same reason somebody might build MySQL + PostgreSQL
support into their product. It usually forces a generic abstraction
to be used, which may be a long term investment into a better code
base within PostgreSQL.

2) Documentation is much better in GNUTLS. When using OpenSSL, I find
myself frequently referring to the source code itself, as the best
documentation available is for the now-possibly-out-of-date SSLeay.

3) Due to various political agendas, and legal confusion, GNUTLS has
been steadily growing in popularity. One day it may be that GNUTLS
is better maintained and well known than OpenSSL, at which point
it might be a practical choice to only support GNUTLS, and drop
support for OpenSSL entirely.

4) GNUTLS development seems more active? OpenSSL has been in a frozen/mature
state for a while. I don't understand why OpenSSL is still labelled as
0.9.x, which might indicate alpha quality, under heavy development.

I don't find the reasons too compelling - but they are points to
consider.

Cheers,
mark

--
mark(at)mielke(dot)cc / markm(at)ncf(dot)ca / markm(at)nortel(dot)com __________________________
. . _ ._ . . .__ . . ._. .__ . . . .__ | Neighbourhood Coder
|\/| |_| |_| |/ |_ |\/| | |_ | |/ |_ |
| | | | | \ | \ |__ . | | .|. |__ |__ | \ |__ | Ottawa, Ontario, Canada

One ring to rule them all, one ring to find them, one ring to bring them all
and in the darkness bind them...

http://mark.mielke.cc/

> entirely.
>
> 4) GNUTLS development seems more active? OpenSSL has been in a frozen/mature
> state for a while. I don't understand why OpenSSL is still labelled as
> 0.9.x, which might indicate alpha quality, under heavy development.
>
> I don't find the reasons too compelling - but they are points to
> consider.

5) GNUTLS does not run well under all of our supported platforms.

Joshua D. Drake

>
> Cheers,
> mark
>
--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

* Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> > 4) GNUTLS development seems more active? OpenSSL has been in a frozen/mature
> > state for a while. I don't understand why OpenSSL is still labelled as
> > 0.9.x, which might indicate alpha quality, under heavy development.
> >
> > I don't find the reasons too compelling - but they are points to
> > consider.
>
> 5) GNUTLS does not run well under all of our supported platforms.

While I don't disagree about that, I would like to reiterate that I
wouldn't advocate or even suggest dropping OpenSSL support or removing
OpenSSL as the default.

Thanks,

Stephen

On Friday 29 December 2006 14:49, Joshua D. Drake wrote:
> > entirely.
> >
> > 4) GNUTLS development seems more active? OpenSSL has been in a
> > frozen/mature state for a while. I don't understand why OpenSSL is still
> > labelled as 0.9.x, which might indicate alpha quality, under heavy
> > development.
> >
> > I don't find the reasons too compelling - but they are points to
> > consider.
>
> 5) GNUTLS does not run well under all of our supported platforms.
>

given options like --enable-dtrace and --with-libedit-preferred, I don't find
this argument compelling...

--
Robert Treat
Build A Brighter LAMP :: Linux Apache {middleware} PostgreSQL

On Fri, 2006-12-29 at 17:57 -0500, Robert Treat wrote:
> On Friday 29 December 2006 14:49, Joshua D. Drake wrote:
> > > entirely.
> > >
> > > 4) GNUTLS development seems more active? OpenSSL has been in a
> > > frozen/mature state for a while. I don't understand why OpenSSL is still
> > > labelled as 0.9.x, which might indicate alpha quality, under heavy
> > > development.
> > >
> > > I don't find the reasons too compelling - but they are points to
> > > consider.
> >
> > 5) GNUTLS does not run well under all of our supported platforms.
> >
>
> given options like --enable-dtrace and --with-libedit-preferred, I don't find
> this argument compelling...

I don't like either of those options either.

Joshua D. Drake

--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

* Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> On Fri, 2006-12-29 at 17:57 -0500, Robert Treat wrote:
> > On Friday 29 December 2006 14:49, Joshua D. Drake wrote:
> > given options like --enable-dtrace and --with-libedit-preferred, I don't find
> > this argument compelling...
>
> I don't like either of those options either.

What about --with-pam, --with-ldap, --with-gnu-ld ? I also wonder
about --with-tcl, --with-perl, --with-python, --with-krb5.. We
do support quite a few platforms...

Thanks,

Stephen

On Fri, 2006-12-29 at 18:56 -0500, Stephen Frost wrote:
> * Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> > On Fri, 2006-12-29 at 17:57 -0500, Robert Treat wrote:
> > > On Friday 29 December 2006 14:49, Joshua D. Drake wrote:
> > > given options like --enable-dtrace and --with-libedit-preferred, I don't find
> > > this argument compelling...
> >
> > I don't like either of those options either.
>
> What about --with-pam, --with-ldap, --with-gnu-ld ? I also wonder
> about --with-tcl, --with-perl, --with-python, --with-krb5.. We
> do support quite a few platforms...

I do not like --enable-dtrace because it is a Solaris only thing and a
waste of maintability resources (although small).

I do not like --with-libedit-preferred because I think it should be
--with-libedit and readline should be ripped out.

I do not like --with-krb5 because it has extremely limited real world
use.

I do not like --with-tcl because well... it is tcl

I do not like --with-pam but only because I have never gotten it to
work.

I do like --with-python because all other languages are inferior.

I do like --with-ldap because it is pretty much standard within
directory lookups by the nature of Active Directory.

I do not like "Green Eggs and Ham", said Sam I am.

Sincerely,

Joshua D. Drake

>
> Thanks,
>
> Stephen
--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

* Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> I do not like --enable-dtrace because it is a Solaris only thing and a
> waste of maintability resources (although small).

While the analysis can only be done on Solaris I feel that improvments
from the analysis may be useful on other platforms. For that I don't
feel it's a waste of resources.

> I do not like --with-libedit-preferred because I think it should be
> --with-libedit and readline should be ripped out.

Not all that particular on this one as long as my psql works well. :) I
do like the improvments in 8.2 too.

> I do not like --with-krb5 because it has extremely limited real world
> use.

Riiigghhhttt... Only every Windows setup which uses Active Directory,
most major universities, and certain large corporations (uh, AOL?) would
even think to use something like Kerberos!

> I do not like --with-tcl because well... it is tcl

Haha.

> I do not like --with-pam but only because I have never gotten it to
> work.

We use it on some of our production systems (since it can provide
cracklib, password expiration, etc, and the postgres instance inside
it's own vserver so it doesn't hurt as much to make the passwd/shadow
files available to it...). I'd be happy to help you get it to work if
you'd like, and I could even provide you with some PG/C functions to use
password changing and password aging. :)

> I do like --with-python because all other languages are inferior.

haha.

> I do like --with-ldap because it is pretty much standard within
> directory lookups by the nature of Active Directory.

Funny you like LDAP but not Kerberos, both of which are part of Active
Directory... Using LDAP simple binds to AD for authentication is
*quite* silly and *much* less secure than using Kerberos...

> I do not like "Green Eggs and Ham", said Sam I am.

hehe.

Thanks,

Stephen

> > I do not like --with-krb5 because it has extremely limited real world
> > use.
>
> Riiigghhhttt... Only every Windows setup which uses Active Directory,
> most major universities, and certain large corporations (uh, AOL?) would
> even think to use something like Kerberos!

I said "Extremely Limited" real world use. Between just two of my
customers, in the next 2 years we (CMD) will have 12 thousand postgresql
installations. Not one of them will use Kerberos.

>
> > I do not like --with-pam but only because I have never gotten it to
> > work.
>
> We use it on some of our production systems (since it can provide
> cracklib, password expiration, etc, and the postgres instance inside
> it's own vserver so it doesn't hurt as much to make the passwd/shadow
> files available to it...). I'd be happy to help you get it to work if
> you'd like, and I could even provide you with some PG/C functions to use
> password changing and password aging. :)

Oh, I am sure it is great. I have just never tried that hard to get it
to work :)

> > I do like --with-ldap because it is pretty much standard within
> > directory lookups by the nature of Active Directory.
>
> Funny you like LDAP but not Kerberos, both of which are part of Active
> Directory... Using LDAP simple binds to AD for authentication is
> *quite* silly and *much* less secure than using Kerberos...

Yes but LDAP gives me a lot of other things, easily and it has SSL. SSL
+ Firewall gives me 98% of the security I need.

Sincerely,

Joshua D. Drake

--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

On Dec 29, 2006, at 7:09 PM, Joshua D. Drake wrote:

> On Fri, 2006-12-29 at 18:56 -0500, Stephen Frost wrote:
>> * Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
>>> On Fri, 2006-12-29 at 17:57 -0500, Robert Treat wrote:
>>>> On Friday 29 December 2006 14:49, Joshua D. Drake wrote:
>>>> given options like --enable-dtrace and --with-libedit-preferred,
>>>> I don't find
>>>> this argument compelling...
>>>
>>> I don't like either of those options either.
>>
>> What about --with-pam, --with-ldap, --with-gnu-ld ? I also wonder
>> about --with-tcl, --with-perl, --with-python, --with-krb5.. We
>> do support quite a few platforms...
>
> I do not like --enable-dtrace because it is a Solaris only thing and a
> waste of maintability resources (although small).

It works on solaris, opensolaris, all the distributions based on
opensolaris. It should work in the next version of Mac OS X and most
likely in the next version of FreeBSD. The dtrace allows people to
answer questions on production systems that were otherwise
mysteries. I think it is not a waste at all.

> I do not like --with-libedit-preferred because I think it should be
> --with-libedit and readline should be ripped out.
>
> I do not like --with-krb5 because it has extremely limited real world
> use.

I see quite a bit of kerberos in the Enterprise world.

> I do not like --with-tcl because well... it is tcl
>
> I do not like --with-pam but only because I have never gotten it to
> work.
>
> I do like --with-python because all other languages are inferior.
>
> I do like --with-ldap because it is pretty much standard within
> directory lookups by the nature of Active Directory.
>
> I do not like "Green Eggs and Ham", said Sam I am.

I don't understand why this has devolved into an argument about what
people do and don't like. It's like specifically choosing a forum
that will have the most disagreement.

// Theo Schlossnagle
// CTO -- http://www.omniti.com/~jesus/
// OmniTI Computer Consulting, Inc. -- http://www.omniti.com/

>
> I don't understand why this has devolved into an argument about what
> people do and don't like. It's like specifically choosing a forum
> that will have the most disagreement.

Yep :), I saw we go over to debian-general and ask why they are trying
to make all these projects use GNU/TLS ;)

Joshua D. Drake

>
> // Theo Schlossnagle
> // CTO -- http://www.omniti.com/~jesus/
> // OmniTI Computer Consulting, Inc. -- http://www.omniti.com/
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly
>
--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

* Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> > > I do not like --with-krb5 because it has extremely limited real world
> > > use.
> >
> > Riiigghhhttt... Only every Windows setup which uses Active Directory,
> > most major universities, and certain large corporations (uh, AOL?) would
> > even think to use something like Kerberos!
>
> I said "Extremely Limited" real world use. Between just two of my
> customers, in the next 2 years we (CMD) will have 12 thousand postgresql
> installations. Not one of them will use Kerberos.

There's no accounting for poor taste...

> > > I do not like --with-pam but only because I have never gotten it to
> > > work.
> >
> > We use it on some of our production systems (since it can provide
> > cracklib, password expiration, etc, and the postgres instance inside
> > it's own vserver so it doesn't hurt as much to make the passwd/shadow
> > files available to it...). I'd be happy to help you get it to work if
> > you'd like, and I could even provide you with some PG/C functions to use
> > password changing and password aging. :)
>
> Oh, I am sure it is great. I have just never tried that hard to get it
> to work :)

Oh, I never said it was great, just said that we used it since PG
doesn't directly provide the things we need (cracklib, password aging,
etc).

> > > I do like --with-ldap because it is pretty much standard within
> > > directory lookups by the nature of Active Directory.
> >
> > Funny you like LDAP but not Kerberos, both of which are part of Active
> > Directory... Using LDAP simple binds to AD for authentication is
> > *quite* silly and *much* less secure than using Kerberos...
>
> Yes but LDAP gives me a lot of other things, easily and it has SSL. SSL
> + Firewall gives me 98% of the security I need.

Unfortunately, security isn't a game of percentages. Hopefully you'll
never have a server compromised which is then used to capture passwords
which can then be used to jump to other systems... Kerberos is there
and it's not too hard to use (though does depend on the MIT Kerberos for
Windows service currently). Supporting SSPI/GSSAPI and then writing a
small document on how to generate Windows keytabs for Postgres would
mean single-sign-on for Windows users using applications which use
libpq...

Thanks,

Stephen

Robert Treat wrote:
> On Friday 29 December 2006 14:49, Joshua D. Drake wrote:
> > > entirely.
> > >
> > > 4) GNUTLS development seems more active? OpenSSL has been in a
> > > frozen/mature state for a while. I don't understand why OpenSSL is still
> > > labelled as 0.9.x, which might indicate alpha quality, under heavy
> > > development.
> > >
> > > I don't find the reasons too compelling - but they are points to
> > > consider.
> >
> > 5) GNUTLS does not run well under all of our supported platforms.
> >
>
> given options like --enable-dtrace and --with-libedit-preferred, I don't find
> this argument compelling...

Keep in mind it took years to get OpenSSL support up to the level we
have it now. It took SSL experts coming in and out of our development
process to get it 100% feature-complete. Doing this for another
library, I am afraid, isn't trivial, unlike the above options.

--
Bruce Momjian bruce(at)momjian(dot)us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

Bruce Momjian wrote:
> Robert Treat wrote:
>> > 5) GNUTLS does not run well under all of our supported platforms.
>> >
>>
>> given options like --enable-dtrace and --with-libedit-preferred, I don't
>> find
>> this argument compelling...
>
> Keep in mind it took years to get OpenSSL support up to the level we
> have it now. It took SSL experts coming in and out of our development
> process to get it 100% feature-complete. Doing this for another
> library, I am afraid, isn't trivial, unlike the above options.
>

Not only that, but in every other case of an extra library, it provides us
either with more platform support (e.g. libedit) or more functionality
(e.g. dtrace). That's not the case here - we would simply be supporting
another way of getting the same functionality on platforms where we
already have a library that supports it.

cheers

andrew

Bruce Momjian <bruce(at)momjian(dot)us> writes:
> Keep in mind it took years to get OpenSSL support up to the level we
> have it now. It took SSL experts coming in and out of our development
> process to get it 100% feature-complete.

Actually, it's *not* feature-complete even yet.

What basically bothers me about this is that trying to support both the
OpenSSL and GNUTLS APIs is going to be an enormous investment of
development and maintenance effort, because it's such a nontrivial thing
to use properly. It sticks in my craw to be doing that work for no
technical reason, only a license-lawyering reason; and not even a
license issue that everyone is convinced is real.

regards, tom lane

On Sat, Dec 30, 2006 at 02:10:42AM -0500, Tom Lane wrote:
> Bruce Momjian <bruce(at)momjian(dot)us> writes:
> > Keep in mind it took years to get OpenSSL support up to the level we
> > have it now. It took SSL experts coming in and out of our development
> > process to get it 100% feature-complete.
>
> Actually, it's *not* feature-complete even yet.

What's missing? I don't see anything on the TODO list relating to
this. If you wanted a GnuTLS patch that supported more features than
the OpenSSL one, you should have said so. Personally I would have
added:

- authentication using PGP keys
- anonymous DH (ie doing encryption, without authentication or
shared keys)

I refrained because I figured that would give it even less chance of
getting accepted.

Additionally the patch implemented:

- A command in psql so you could see the parameters of the SSL
connection
- A method by which other client libraries (say JDBC) could use the
authentication and encryption features of libpq, but implement the
query protocol themselves.

> What basically bothers me about this is that trying to support both the
> OpenSSL and GNUTLS APIs is going to be an enormous investment of
> development and maintenance effort, because it's such a nontrivial thing
> to use properly. It sticks in my craw to be doing that work for no
> technical reason, only a license-lawyering reason; and not even a
> license issue that everyone is convinced is real.

As author of the patch, I'm slightly dismayed people are getting so
hung up on the licence issue, when it was *not* the main motivation for
writing it.

And if there's features you want, put them on the todo list. I'm not
sure about Bruce's comment about it being so hard to get the OpenSSL
level of support we have, given PostgreSQL is not doing anything not
described in the example code.

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.

* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> Robert Treat wrote:
> > given options like --enable-dtrace and --with-libedit-preferred, I don't find
> > this argument compelling...
>
> Keep in mind it took years to get OpenSSL support up to the level we
> have it now. It took SSL experts coming in and out of our development
> process to get it 100% feature-complete. Doing this for another
> library, I am afraid, isn't trivial, unlike the above options.

Uhh, I have no idea where you got the idea that our current OpenSSL
support is anywhere near 100% feature complete for an SSL
implementation. It's certainly not, and we've been over that
previously...

Thanks,

Stephen

* Andrew Dunstan (andrew(at)dunslane(dot)net) wrote:
> Bruce Momjian wrote:
> > Keep in mind it took years to get OpenSSL support up to the level we
> > have it now. It took SSL experts coming in and out of our development
> > process to get it 100% feature-complete. Doing this for another
> > library, I am afraid, isn't trivial, unlike the above options.
>
> Not only that, but in every other case of an extra library, it provides us
> either with more platform support (e.g. libedit) or more functionality
> (e.g. dtrace). That's not the case here - we would simply be supporting
> another way of getting the same functionality on platforms where we
> already have a library that supports it.

As I mentioned previously there are at least some features GNUTLS has
which OpenSSL doesn't (though I don't pretend to know the level of
importance). There is also the license difference (which there *is* a
pretty clear difference in the license between the two, and some might
prefer one or the other, regardless of if there's actually a problem or
not).

Thanks,

Stephen

* Tom Lane (tgl(at)sss(dot)pgh(dot)pa(dot)us) wrote:
> Bruce Momjian <bruce(at)momjian(dot)us> writes:
> > Keep in mind it took years to get OpenSSL support up to the level we
> > have it now. It took SSL experts coming in and out of our development
> > process to get it 100% feature-complete.
>
> Actually, it's *not* feature-complete even yet.
>
> What basically bothers me about this is that trying to support both the
> OpenSSL and GNUTLS APIs is going to be an enormous investment of
> development and maintenance effort, because it's such a nontrivial thing
> to use properly. It sticks in my craw to be doing that work for no
> technical reason, only a license-lawyering reason; and not even a
> license issue that everyone is convinced is real.

The development has been done (and wasn't terribly enormous aiui) and I
have a hard time believeing it's a huge maintenance cost. If features
are added wrt SSL they wouldn't have to be added to both, either,
although in general I doubt it'd be all that difficult to support both
from the get-go but there's no obligataion and someone else who cares
about one or the other could implement it there.

Thanks,

Stephen

* Martijn van Oosterhout (kleptog(at)svana(dot)org) wrote:
> On Sat, Dec 30, 2006 at 02:10:42AM -0500, Tom Lane wrote:
> > Actually, it's *not* feature-complete even yet.
>
> What's missing? I don't see anything on the TODO list relating to
> this. If you wanted a GnuTLS patch that supported more features than
> the OpenSSL one, you should have said so. Personally I would have
> added:
>
> - authentication using PGP keys

This would be the big feature I think is missing from our current SSL
support. I don't think it'd be terribly difficult to support with
either library (I think most of the work would be on the PG user auth
side, which would be useable by either).

> - anonymous DH (ie doing encryption, without authentication or
> shared keys)

Would be nice.

> I refrained because I figured that would give it even less chance of
> getting accepted.

Indeed..

> Additionally the patch implemented:
>
> - A command in psql so you could see the parameters of the SSL
> connection
> - A method by which other client libraries (say JDBC) could use the
> authentication and encryption features of libpq, but implement the
> query protocol themselves.
>
> > What basically bothers me about this is that trying to support both the
> > OpenSSL and GNUTLS APIs is going to be an enormous investment of
> > development and maintenance effort, because it's such a nontrivial thing
> > to use properly. It sticks in my craw to be doing that work for no
> > technical reason, only a license-lawyering reason; and not even a
> > license issue that everyone is convinced is real.
>
> As author of the patch, I'm slightly dismayed people are getting so
> hung up on the licence issue, when it was *not* the main motivation for
> writing it.

I hadn't intended (or expected) the reaction to the licesneing issue to
turn people off to GNUTLS support in general. My intent was more along
the lines of "I figure you'll support it since it's good to have
options, but additionally it'd resolve an issue for Debian". Though
perhaps that issue is all in Debian's collective head and not anywhere
else. Sorry for that. :/

> And if there's features you want, put them on the todo list. I'm not
> sure about Bruce's comment about it being so hard to get the OpenSSL
> level of support we have, given PostgreSQL is not doing anything not
> described in the example code.

Agreed.

Thanks,

Stephen

On Fri, Dec 29, 2006 at 08:12:47PM -0500, Stephen Frost wrote:
> * Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> > > We use it on some of our production systems (since it can
> > > provide cracklib, password expiration, etc, and the postgres
> > > instance inside it's own vserver so it doesn't hurt as much to
> > > make the passwd/shadow files available to it...). I'd be happy
> > > to help you get it to work if you'd like, and I could even
> > > provide you with some PG/C functions to use password changing
> > > and password aging. :)
> >
> > Oh, I am sure it is great. I have just never tried that hard to
> > get it to work :)
>
> Oh, I never said it was great, just said that we used it since PG
> doesn't directly provide the things we need (cracklib, password
> aging, etc).

It's never been clear to me how these things in particular are good
security measures, but that's a whole different discussion.

> > > > I do like --with-ldap because it is pretty much standard
> > > > within directory lookups by the nature of Active Directory.
> > >
> > > Funny you like LDAP but not Kerberos, both of which are part of
> > > Active Directory... Using LDAP simple binds to AD for
> > > authentication is *quite* silly and *much* less secure than
> > > using Kerberos...
> >
> > Yes but LDAP gives me a lot of other things, easily and it has
> > SSL. SSL + Firewall gives me 98% of the security I need.
>
> Unfortunately, security isn't a game of percentages.

Security is *precisely* a game of percentages. There is a lot of
silly voodoo running around in among amateurs tasked with security.
The silliest usually involves the "tall fencepost" model, which is the
diametric opposite of the "weakest link" model. One example of "tall
fencepost" security would be hyper-strong crypto applied by
demoralized employees with bad will. Attackers just *love* "tall
fencepost" security.

> Hopefully you'll never have a server compromised which is then used
> to capture passwords which can then be used to jump to other
> systems...

Yeah, it's good to think about cascading failure modes.

> Kerberos is there and it's not too hard to use (though does depend
> on the MIT Kerberos for Windows service currently). Supporting
> SSPI/GSSAPI and then writing a small document on how to generate
> Windows keytabs for Postgres would mean single-sign-on for Windows
> users using applications which use libpq...

Sounds like a nice feature :)

Cheers,
D
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
phone: +1 415 235 3778 AIM: dfetter666
Skype: davidfetter

Remember to vote!

Stephen Frost wrote:
> * Martijn van Oosterhout (kleptog(at)svana(dot)org) wrote:
>> On Sat, Dec 30, 2006 at 02:10:42AM -0500, Tom Lane wrote:
>>> Actually, it's *not* feature-complete even yet.
>> What's missing? I don't see anything on the TODO list relating to
>> this. If you wanted a GnuTLS patch that supported more features than
>> the OpenSSL one, you should have said so. Personally I would have
>> added:
>>
>> - authentication using PGP keys
>
> This would be the big feature I think is missing from our current SSL
> support. I don't think it'd be terribly difficult to support with
> either library (I think most of the work would be on the PG user auth
> side, which would be useable by either).

Wouldn't it be a lot more logical to support authentication with X.509
certificates rather than PGP keys? Given that SSL already has that at a
protocol level AFAIK? And if you are doing any kind of enterprise
deployment at lesat, you're likely to have the PKI infrastructure to
deal out X.509 already?

That said, you could do PGP authentication anyway - independent of SSL -
if people wanted it.

//Magnus

>> Kerberos is there and it's not too hard to use (though does depend
>> on the MIT Kerberos for Windows service currently). Supporting
>> SSPI/GSSAPI and then writing a small document on how to generate
>> Windows keytabs for Postgres would mean single-sign-on for Windows
>> users using applications which use libpq...
>
> Sounds like a nice feature :)

We're looking into SSPI/GSSAPI (I think the latest take is to do it
through SASL, but I'm not sure) hopefully for 8.3. (we? Mainly Henry B.
Holtz, but I'll try to help him out as needed)

//Magnus

> > This would be the big feature I think is missing from our current SSL
> > support. I don't think it'd be terribly difficult to support with
> > either library (I think most of the work would be on the PG user auth
> > side, which would be useable by either).
>
> Wouldn't it be a lot more logical to support authentication with X.509
> certificates rather than PGP keys?

The use of PGP in this manner is silly imo. X.509 would certainly be
interesting.

Sincerely,

Joshua D. Drake

--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

On Sat, Dec 30, 2006 at 08:14:16AM -0800, Joshua D. Drake wrote:
>
> > > This would be the big feature I think is missing from our current SSL
> > > support. I don't think it'd be terribly difficult to support with
> > > either library (I think most of the work would be on the PG user auth
> > > side, which would be useable by either).
> >
> > Wouldn't it be a lot more logical to support authentication with X.509
> > certificates rather than PGP keys?
>
> The use of PGP in this manner is silly imo. X.509 would certainly be
> interesting.

Except tht X.509 is already done (in a sense). The client can supply a
certificate that the server can check, and vice-versa. You can't link
this with the postgresql username yet, but I havn't seen any proposals
about how to do that.

The reason I wanted to use PGP is that I already have a PGP key. X.509
certificates are far too complicated (a certificate authority is a
useless extra step in my case).

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.

On Sat, Dec 30, 2006 at 06:05:14PM +0100, Martijn van Oosterhout wrote:
> Except tht X.509 is already done (in a sense). The client can supply a
> certificate that the server can check, and vice-versa. You can't link
> this with the postgresql username yet, but I havn't seen any proposals
> about how to do that.

I suggest associating the SHA-1 fingerprint with the ROLE. I would love
to have this.

> The reason I wanted to use PGP is that I already have a PGP key. X.509
> certificates are far too complicated (a certificate authority is a
> useless extra step in my case).

I prefer to allow self-signed certificates approved by fingerprint,
rather than content - having a central authority vouche for a person's
right to use my system does not appeal to me. Yes, this does make
X.509 far too complicated. I have a tendency to put garbage in the
X.509 fields, and use only the private key / public key / fingerprint
of public certificate, which would match your use of PGP keys... :-)

Cheers,
mark

--
mark(at)mielke(dot)cc / markm(at)ncf(dot)ca / markm(at)nortel(dot)com __________________________
. . _ ._ . . .__ . . ._. .__ . . . .__ | Neighbourhood Coder
|\/| |_| |_| |/ |_ |\/| | |_ | |/ |_ |
| | | | | \ | \ |__ . | | .|. |__ |__ | \ |__ | Ottawa, Ontario, Canada

One ring to rule them all, one ring to find them, one ring to bring them all
and in the darkness bind them...

http://mark.mielke.cc/

> The reason I wanted to use PGP is that I already have a PGP key. X.509
> certificates are far too complicated (a certificate authority is a
> useless extra step in my case).

Complete side note but one feature that I brought up to my team a
potentially useful would be to allow the use of ssh keys for
authentication.

SSH keys are far more prevalent, and they are understood even at the
medium corporate level.

Sincerely,

Joshua D. Drake

--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

Stephen Frost wrote:
-- Start of PGP signed section.
> * Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> > Robert Treat wrote:
> > > given options like --enable-dtrace and --with-libedit-preferred, I don't find
> > > this argument compelling...
> >
> > Keep in mind it took years to get OpenSSL support up to the level we
> > have it now. It took SSL experts coming in and out of our development
> > process to get it 100% feature-complete. Doing this for another
> > library, I am afraid, isn't trivial, unlike the above options.
>
> Uhh, I have no idea where you got the idea that our current OpenSSL
> support is anywhere near 100% feature complete for an SSL
> implementation. It's certainly not, and we've been over that
> previously...

My point was that in the past our SSL implementation had known problems,
and only people appearing randomly seemed to be able to fix them, e.g.
"Bear" was one of them. I have not seen any major complaints recently,
so I feel we at least have acceptable SSL support, but it took years.
Typically, some SSL export would appear, say there was something wrong
with our SSL code, say he didn't have time to fix it, and disappear. I
would then chase him around and maybe get a patch from him for a few of
the problems he found (but not all of them).

I had to stuble together a Certificate Revocation List (CRL) patch for
8.2 from soneone's posted patch. I didn't even know what CRL was, and
got no feedback from the community, so I had to figure it out myself to
get it into CVS (for server and client sides) and documented.

If I couldn't get community help for getting a patch documented for 8.2,
what help are we going to get to maintain two ways of doing SSL?

For some reason, SSL seems to have more black magic than other
libraries.

--
Bruce Momjian bruce(at)momjian(dot)us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

Stephen Frost wrote:
> Yet *having* that requirement on a *derived work* which includes GPL
> code is *against* the terms of the GPL. That's *exactly* the issue.
> The GPL says more than "you must provide the source code to everything",
> it explicitly includes a requirement that no additional restrictions be
> put on the derivative (lest requirements for no-additional-distribution
> or must-charge-for-other-distribution be added which defeats much of the
> point of the GPL).

Our BSD license has this restriction:

> provided that the above copyright notice and this
> paragraph and the following two paragraphs appear in all copies.

Why is this not an _additional_ restriction, and hence GPL and BSD
software cannot be bundled into a binary? What does "appear in all
copies" mean, especially if you don't need to ship the source code under
the BSD license?

--
Bruce Momjian bruce(at)momjian(dot)us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

mark(at)mark(dot)mielke(dot)cc wrote:
> On Sat, Dec 30, 2006 at 06:05:14PM +0100, Martijn van Oosterhout wrote:
>> Except tht X.509 is already done (in a sense). The client can supply a
>> certificate that the server can check, and vice-versa. You can't link
>> this with the postgresql username yet, but I havn't seen any proposals
>> about how to do that.
>
> I suggest associating the SHA-1 fingerprint with the ROLE. I would love
> to have this.

I would suggest a map based on the CN. Any org with a centralized PKI
infrastructure is likely to assign certs with the userid or other unique
identifier in the CN.

//Magnus

If you want real language-lawyer over-reach, check out this 2003 posting
that says our BSD license wording is not compatible with the OpenBSD BSD
license:

http://archives.postgresql.org/pgsql-bugs/2003-11/msg00212.php

OpenBSD feels the "without fee" can be misinterpreted, so PostgreSQL was
removed from their CDROM.

---------------------------------------------------------------------------

mark(at)mark(dot)mielke(dot)cc wrote:
> > > Now Exim has granted an exception that gets Debian off the hook, but
> > > they didn't have to do that.
> > Right. If they didn't then it's conceivable that Exim could sue Debian
> > for violating the GPL license. Not exactly likely to happen but being
> > cautious it's best to get their explicit approval rather than playing
> > the "well, we'll just wait and see if they sue us" game.
>
> This is pure FUD, and unacceptable if spoken from a position of
> authority. State what you think this theoretical case would be. At
> least if you picked GPL including closed source code, you might be
> able to claim that the resulting derived work was not distributed
> complete with source code. OpenSSL, however, is open source. The only
> possible complaint could be "you failed to advertise OpenSSL in the
> resulting distributed image", which would be a correct observation,
> easily corrected by the inclusion of a note in the documentation for
> the distributed software unit that includes both pieces of software.
> This correction is an existing requirement for any software
> distribution that includes OpenSSL, It is an acceptable, and easily
> honoured requirement.
>
> Anybody who has a problem admitting that their software distribution
> includes OpenSSL software in their documentation, has no sympathy from
> me. Attribution is an acceptable right to enforce under copyright law,
> and an honourable practice with or without a licensing requirement
> explicitly stating this as a requirement.
>
> Caution to the point of fantasy is a waste of resources. Caution to
> further a political agenda (not you - but the people whose opinions you
> are repeating) is exploitation.
>
> I am unable to find a single clause in the GPL (which I have analyzed
> many years ago, but also re-read several times in the last two days)
> that would make it impossible to satisfy all of the GPL, PostgreSQL
> (BSD) license, and the OpenSSL license at the same time. Every single
> clause of all three licenses can be easily satisfied without conflict.
> Those of you who are claiming otherwise, have failed to point to a
> single phrase in the GPL that could not be satisfied when distributing
> all three pieces of software as a single unit. Without a single point
> of true conflict between all three licenses, I do not accept that
> there is any case to require an OpenSSL exemption clause for
> Debian. Those who are doing so are doing a disservice to everyone by
> contributing to the general confusion on this subject. The clause is
> not required. The clause has no effect.
>
> To distribute a software unit that includes software from all of a
> GPL product, PostgreSQL, and OpenSSL, one needs only do the following:
>
> 1) Documentation for the software unit should include documentation
> to describe that the software includes OpenSSL.
>
> 2) The distribution of the software unit should include a text copy
> of all three licenses.
>
> 3) Source code for the entire unit should be provided. I don't believe
> the FSF can legally enforce this requirement, however, with
> GPL + PostgreSQL + OpenSSL, there is *NO* conflict. The source code
> for all three can be made available upon request, or contained within
> the distribution.
>
> 4) Various other minor points, such as the requirement that changes
> are dated and such. None of which conflict between the three licenses.
>
> To state again. There is *NO* conflict between the licenses. The terms
> of each can be fulfilled completely, and separately, without
> invalidating each other. Those who claim otherwise need to point to a
> specific requirement from one of the licenses that would prevent it
> from being used. They cannot, because such a point does not
> exist. Ascii pictures. Hearsay. Confusion regarding existing practice
> or existing thoughts on the matter. No single point of conflict has
> been raised. The GPL does not state that "GPL software may not derive
> from software that has an advertising clause." Considering that this
> is the primary point raised by people, it is ironic that the GPL has
> no such restriction.
>
> Be honest about it. *You* don't like the advertising clause. The GPL
> has nothing to say on the issue, and therefore is *NOT* in conflict
> with it.
>
> This thread has re-enforced my conclusion that the GPL is a poor choice
> of license for any product I ever work on in the future. A decade ago,
> as a teenager, I thought it was cool to put GPL on the software that I
> made available to the world. I felt like I was part of something bigger.
> Now I just feel disgusted. The GPL is not about freedom. It is about
> enforcing a world view on all who use your software.
>
> Thank you PostgreSQL contributors for choosing the BSD style. I think
> it was an excellent choice.
>
> This is my last contribution to this thread. I've said my piece. Note
> that I don't intend to convert all of you. As this issue is primarily
> political, people will have a tendency to stay with their own camp,
> regardless of what is said. We all have a tendencies to read each others
> words, looking only for fault in what is said, purposefully choosing not
> to assimilate the other persons contribution. It's called the "I am right
> you are wrong" syndrome, and I'm not exempt from it.
>
> I hope I provided value to this discussion. If not, I apologize.
>
> Cheers,
> mark
>
> --
> mark(at)mielke(dot)cc / markm(at)ncf(dot)ca / markm(at)nortel(dot)com __________________________
> . . _ ._ . . .__ . . ._. .__ . . . .__ | Neighbourhood Coder
> |\/| |_| |_| |/ |_ |\/| | |_ | |/ |_ |
> | | | | | \ | \ |__ . | | .|. |__ |__ | \ |__ | Ottawa, Ontario, Canada
>
> One ring to rule them all, one ring to find them, one ring to bring them all
> and in the darkness bind them...
>
> http://mark.mielke.cc/
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly

--
Bruce Momjian bruce(at)momjian(dot)us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

On Sat, 2006-12-30 at 13:44 -0500, Bruce Momjian wrote:
> If you want real language-lawyer over-reach, check out this 2003 posting
> that says our BSD license wording is not compatible with the OpenBSD BSD
> license:
>
> http://archives.postgresql.org/pgsql-bugs/2003-11/msg00212.php
>
> OpenBSD feels the "without fee" can be misinterpreted, so PostgreSQL was
> removed from their CDROM.

I doubt that hurt us much ;)

Joshua D. Drake

--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> Stephen Frost wrote:
> > Yet *having* that requirement on a *derived work* which includes GPL
> > code is *against* the terms of the GPL. That's *exactly* the issue.
> > The GPL says more than "you must provide the source code to everything",
> > it explicitly includes a requirement that no additional restrictions be
> > put on the derivative (lest requirements for no-additional-distribution
> > or must-charge-for-other-distribution be added which defeats much of the
> > point of the GPL).
>
> Our BSD license has this restriction:
>
> > provided that the above copyright notice and this
> > paragraph and the following two paragraphs appear in all copies.
>
> Why is this not an _additional_ restriction, and hence GPL and BSD
> software cannot be bundled into a binary? What does "appear in all
> copies" mean, especially if you don't need to ship the source code under
> the BSD license?

As I pointed out previously, it's part of the copyright notice, and the
GPL has the exact same requirement:

1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.

So it's *not* an additional restriction. Not to mention the other
reason- the license isn't part of the *work*.

Thanks,

Stephen

* Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> >> Kerberos is there and it's not too hard to use (though does depend
> >> on the MIT Kerberos for Windows service currently). Supporting
> >> SSPI/GSSAPI and then writing a small document on how to generate
> >> Windows keytabs for Postgres would mean single-sign-on for Windows
> >> users using applications which use libpq...
> >
> > Sounds like a nice feature :)
>
> We're looking into SSPI/GSSAPI (I think the latest take is to do it
> through SASL, but I'm not sure) hopefully for 8.3. (we? Mainly Henry B.
> Holtz, but I'll try to help him out as needed)

While I feel including SASL support would be a good thing I'm not sure
about it's availability on Windows and so wouldn't want SASL support to
mean we don't support SSPI directly... I'd also be happy to help with
any of the above, as best I can (as I think I mentioned before when it
was brought up...).

Thanks,

Stephen

Stephen Frost wrote:
-- Start of PGP signed section.
> * Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> > Stephen Frost wrote:
> > > Yet *having* that requirement on a *derived work* which includes GPL
> > > code is *against* the terms of the GPL. That's *exactly* the issue.
> > > The GPL says more than "you must provide the source code to everything",
> > > it explicitly includes a requirement that no additional restrictions be
> > > put on the derivative (lest requirements for no-additional-distribution
> > > or must-charge-for-other-distribution be added which defeats much of the
> > > point of the GPL).
> >
> > Our BSD license has this restriction:
> >
> > > provided that the above copyright notice and this
> > > paragraph and the following two paragraphs appear in all copies.
> >
> > Why is this not an _additional_ restriction, and hence GPL and BSD
> > software cannot be bundled into a binary? What does "appear in all
> > copies" mean, especially if you don't need to ship the source code under
> > the BSD license?
>
> As I pointed out previously, it's part of the copyright notice, and the
> GPL has the exact same requirement:
>
> 1. You may copy and distribute verbatim copies of the Program's
> source code as you receive it, in any medium, provided that you
> conspicuously and appropriately publish on each copy an appropriate
> copyright notice and disclaimer of warranty; keep intact all the
> notices that refer to this License and to the absence of any warranty;
> and give any other recipients of the Program a copy of this License
> along with the Program.
>
> So it's *not* an additional restriction. Not to mention the other
> reason- the license isn't part of the *work*.

It is an _additional_ license you have to include, not just their
license. I don't see how requiring an advertizing clause is an
additional restriction, but requiring an additional license isn't.

I don't understand the "work" issue as it applies here.

--
Bruce Momjian bruce(at)momjian(dot)us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

* Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> Stephen Frost wrote:
> > * Martijn van Oosterhout (kleptog(at)svana(dot)org) wrote:
> >> On Sat, Dec 30, 2006 at 02:10:42AM -0500, Tom Lane wrote:
> >>> Actually, it's *not* feature-complete even yet.
> >> What's missing? I don't see anything on the TODO list relating to
> >> this. If you wanted a GnuTLS patch that supported more features than
> >> the OpenSSL one, you should have said so. Personally I would have
> >> added:
> >>
> >> - authentication using PGP keys
> >
> > This would be the big feature I think is missing from our current SSL
> > support. I don't think it'd be terribly difficult to support with
> > either library (I think most of the work would be on the PG user auth
> > side, which would be useable by either).
>
> Wouldn't it be a lot more logical to support authentication with X.509
> certificates rather than PGP keys? Given that SSL already has that at a
> protocol level AFAIK? And if you are doing any kind of enterprise
> deployment at lesat, you're likely to have the PKI infrastructure to
> deal out X.509 already?
>
> That said, you could do PGP authentication anyway - independent of SSL -
> if people wanted it.

Err, brain fart on my side, I was thinking about X.509 certs, actually,
not PGP keys. I agree w/ you 100% on this. :)

Thanks,

Stephen

* Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> mark(at)mark(dot)mielke(dot)cc wrote:
> > On Sat, Dec 30, 2006 at 06:05:14PM +0100, Martijn van Oosterhout wrote:
> >> Except tht X.509 is already done (in a sense). The client can supply a
> >> certificate that the server can check, and vice-versa. You can't link
> >> this with the postgresql username yet, but I havn't seen any proposals
> >> about how to do that.
> >
> > I suggest associating the SHA-1 fingerprint with the ROLE. I would love
> > to have this.
>
> I would suggest a map based on the CN. Any org with a centralized PKI
> infrastructure is likely to assign certs with the userid or other unique
> identifier in the CN.

Right, this would be how I'd envision it as well. Basically provide a
CA which you trust and then a way to map from DN/CN to PostgreSQL users
(perhaps similar to the ident mapping in implementation?). I'd *also*
like to support full certificate matching (not just the fingerprint...)
but I think doing DN/CN would be a good, easier, first step.

Thanks,

Stephen

* Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
>
> > The reason I wanted to use PGP is that I already have a PGP key. X.509
> > certificates are far too complicated (a certificate authority is a
> > useless extra step in my case).
>
> Complete side note but one feature that I brought up to my team a
> potentially useful would be to allow the use of ssh keys for
> authentication.
>
> SSH keys are far more prevalent, and they are understood even at the
> medium corporate level.

While this may be true it's certainly also true that X.509 keys are
understood at both the medium corporate level and mid-level gov't (at
least in the US), especially inside the DOD, where they've been
mandated, as I recall.

Thanks,

Stephen

* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> Stephen Frost wrote:
> > So it's *not* an additional restriction. Not to mention the other
> > reason- the license isn't part of the *work*.
>
> It is an _additional_ license you have to include, not just their
> license. I don't see how requiring an advertizing clause is an
> additional restriction, but requiring an additional license isn't.

The GPL fully realizes that there may be other licenses out there which
is why it was written to talk about *restrictions*:

6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.

> I don't understand the "work" issue as it applies here.

The resulting binary. Honestly, as I've tried to explain before, it's
not a PostgreSQL problem in general. As such, while I'm happy to try
and explain it, I think people have heard enough about it and so will
try to refrain from discussing the detailed legal stuff more on these
lists. Let me just say that Debian feels there's an issue with
distributing GPL applications linked against OpenSSL. Thus, in general,
Debian likes to see GNUTLS as an option for commonly used libraries to
avoid the issue (as they see it) entirely. I'd like to think that
Debian's preference for a library with a different license might at
least add some small amount of weight to the argument to include support
for a different library, but if not then that's pretty much how it goes
and we can just hope that the technical reasons themselves are enough.
Personally, I don't think Debian's alone in at least the preference for
a different license, but I can't say for sure.

I do agree that the technical merits should come first but thought the
licensing issue might be the straw that broke the camel's back, per se.

As much fun as it is discussing this here I don't see it changing
Debian's position. Joshua has said he'll ask SPI's lawyer about it and
that might change things (though I tend to doubt it, personally). It'll
be a while before we get an answer there though, I think.

Thanks,

Stephen

Stephen Frost wrote:
> * Magnus Hagander (magnus(at)hagander(dot)net) wrote:
>>>> Kerberos is there and it's not too hard to use (though does depend
>>>> on the MIT Kerberos for Windows service currently). Supporting
>>>> SSPI/GSSAPI and then writing a small document on how to generate
>>>> Windows keytabs for Postgres would mean single-sign-on for Windows
>>>> users using applications which use libpq...
>>> Sounds like a nice feature :)
>> We're looking into SSPI/GSSAPI (I think the latest take is to do it
>> through SASL, but I'm not sure) hopefully for 8.3. (we? Mainly Henry B.
>> Holtz, but I'll try to help him out as needed)
>
> While I feel including SASL support would be a good thing I'm not sure
> about it's availability on Windows and so wouldn't want SASL support to
> mean we don't support SSPI directly... I'd also be happy to help with
> any of the above, as best I can (as I think I mentioned before when it
> was brought up...).

Windows has builtin SASL support since Windows 2000. Though a quick look
at the docs right now it looks like it's only supported on server, but
the functions are definitely present on my XP client...

The idea is to get that to work.

//Magnus

On Sat, 2006-12-30 at 14:28 -0500, Stephen Frost wrote:
> * Joshua D. Drake (jd(at)commandprompt(dot)com) wrote:
> >
> > > The reason I wanted to use PGP is that I already have a PGP key. X.509
> > > certificates are far too complicated (a certificate authority is a
> > > useless extra step in my case).
> >
> > Complete side note but one feature that I brought up to my team a
> > potentially useful would be to allow the use of ssh keys for
> > authentication.
> >
> > SSH keys are far more prevalent, and they are understood even at the
> > medium corporate level.
>
> While this may be true it's certainly also true that X.509 keys are
> understood at both the medium corporate level and mid-level gov't (at
> least in the US), especially inside the DOD, where they've been
> mandated, as I recall.

I am not against X.509 at all. I was saying that instead of PGP, ssh
keys may make more sense.

J

>
> Thanks,
>
> Stephen
--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> I had to stuble together a Certificate Revocation List (CRL) patch for
> 8.2 from soneone's posted patch. I didn't even know what CRL was, and
> got no feedback from the community, so I had to figure it out myself to
> get it into CVS (for server and client sides) and documented.

I recall talking about CRLs on the lists at one point and encouraging
their inclusion. I would have been happy to explain what they are and
why they're good to have (along with OCSP support...). I thought you
were included in that discussion.

> If I couldn't get community help for getting a patch documented for 8.2,
> what help are we going to get to maintain two ways of doing SSL?

My apologies for not responding to the request (I think I did see it,
though I can't recall for sure). I don't consider myself an SSL or
X.509 expert but I've got some experience with it and would be happy to
help as I can...

> For some reason, SSL seems to have more black magic than other
> libraries.

It's more the certs and X.509, ASN1, etc, that's black magic, imv. :)

Thanks,

Stephen

Stephen Frost wrote:
-- Start of PGP signed section.
> * Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> > Stephen Frost wrote:
> > > So it's *not* an additional restriction. Not to mention the other
> > > reason- the license isn't part of the *work*.
> >
> > It is an _additional_ license you have to include, not just their
> > license. I don't see how requiring an advertizing clause is an
> > additional restriction, but requiring an additional license isn't.
>
> The GPL fully realizes that there may be other licenses out there which
> is why it was written to talk about *restrictions*:
>
> 6. Each time you redistribute the Program (or any work based on the
> Program), the recipient automatically receives a license from the
> original licensor to copy, distribute or modify the Program subject to
> these terms and conditions. You may not impose any further
> restrictions on the recipients' exercise of the rights granted herein.
> You are not responsible for enforcing compliance by third parties to
> this License.

I don't see the distinction here. Where does it say having to include
another license is a different additional restriction from an
advertizing clause?

> > I don't understand the "work" issue as it applies here.

Right. I wasn't clear in saying that the idea is whether the BSD and
GPL licenses can or cannot be merged into a single work.

--
Bruce Momjian bruce(at)momjian(dot)us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> Stephen Frost wrote:
> > 6. Each time you redistribute the Program (or any work based on the
> > Program), the recipient automatically receives a license from the
> > original licensor to copy, distribute or modify the Program subject to
> > these terms and conditions. You may not impose any further
> > restrictions on the recipients' exercise of the rights granted herein.
> > You are not responsible for enforcing compliance by third parties to
> > this License.
>
> I don't see the distinction here. Where does it say having to include
> another license is a different additional restriction from an
> advertizing clause?

Erm, I thought I included it already, but...

1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.

That's an existing restriction in the GPL, therefore a restriction in
another license for the same thing is acceptable to the GPL for a
resultant work. You'll also note above it says "an appropriate
copyright notice".

Thanks,

Stephen

Stephen Frost wrote:
-- Start of PGP signed section.
> * Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> > Stephen Frost wrote:
> > > 6. Each time you redistribute the Program (or any work based on the
> > > Program), the recipient automatically receives a license from the
> > > original licensor to copy, distribute or modify the Program subject to
> > > these terms and conditions. You may not impose any further
> > > restrictions on the recipients' exercise of the rights granted herein.
> > > You are not responsible for enforcing compliance by third parties to
> > > this License.
> >
> > I don't see the distinction here. Where does it say having to include
> > another license is a different additional restriction from an
> > advertizing clause?
>
> Erm, I thought I included it already, but...
>
> 1. You may copy and distribute verbatim copies of the Program's
> source code as you receive it, in any medium, provided that you
> conspicuously and appropriately publish on each copy an appropriate
> copyright notice and disclaimer of warranty; keep intact all the
> notices that refer to this License and to the absence of any warranty;
> and give any other recipients of the Program a copy of this License
> along with the Program.
>
> That's an existing restriction in the GPL, therefore a restriction in
> another license for the same thing is acceptable to the GPL for a
> resultant work. You'll also note above it says "an appropriate
> copyright notice".

I don't see were is says that another license's restriction that is the
same as a GPL restriction, but for a different license, is OK.

--
Bruce Momjian bruce(at)momjian(dot)us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> Stephen Frost wrote:
> > > > 6. Each time you redistribute the Program (or any work based on the
> > > > Program), the recipient automatically receives a license from the
> > > > original licensor to copy, distribute or modify the Program subject to
> > > > these terms and conditions. You may not impose any further
> > > > restrictions on the recipients' exercise of the rights granted herein.
> > > > You are not responsible for enforcing compliance by third parties to
> > > > this License.
> > >
> > > I don't see the distinction here. Where does it say having to include
> > > another license is a different additional restriction from an
> > > advertizing clause?
> >
> > Erm, I thought I included it already, but...
> >
> > 1. You may copy and distribute verbatim copies of the Program's
> > source code as you receive it, in any medium, provided that you
> > conspicuously and appropriately publish on each copy an appropriate
> > copyright notice and disclaimer of warranty; keep intact all the
> > notices that refer to this License and to the absence of any warranty;
> > and give any other recipients of the Program a copy of this License
> > along with the Program.
> >
> > That's an existing restriction in the GPL, therefore a restriction in
> > another license for the same thing is acceptable to the GPL for a
> > resultant work. You'll also note above it says "an appropriate
> > copyright notice".
>
> I don't see were is says that another license's restriction that is the
> same as a GPL restriction, but for a different license, is OK.

It says that above under 6- You may not impose any *further*
restrictions on the recipients' exercise of the rights granted herein.

I appriciate your pedantism but in the end it really doesn't matter very
much. This is, aiui anyway, the way Debian interprets the various
licenses. You're welcome to your own interpretation.

Thanks,

Stephen

Stephen Frost wrote:
> > > 1. You may copy and distribute verbatim copies of the Program's
> > > source code as you receive it, in any medium, provided that you
> > > conspicuously and appropriately publish on each copy an appropriate
> > > copyright notice and disclaimer of warranty; keep intact all the
> > > notices that refer to this License and to the absence of any warranty;
> > > and give any other recipients of the Program a copy of this License
> > > along with the Program.
> > >
> > > That's an existing restriction in the GPL, therefore a restriction in
> > > another license for the same thing is acceptable to the GPL for a
> > > resultant work. You'll also note above it says "an appropriate
> > > copyright notice".
> >
> > I don't see were is says that another license's restriction that is the
> > same as a GPL restriction, but for a different license, is OK.
>
> It says that above under 6- You may not impose any *further*
> restrictions on the recipients' exercise of the rights granted herein.
>
> I appriciate your pedantism but in the end it really doesn't matter very
> much. This is, aiui anyway, the way Debian interprets the various
> licenses. You're welcome to your own interpretation.

That was my point --- that it isn't clear what "additional restrictions"
are, and that an advertizing clause or additional license can be
interpreted as the same thing.

--
Bruce Momjian bruce(at)momjian(dot)us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

On Sat, Dec 30, 2006 at 05:03:23PM -0500, Bruce Momjian wrote:
> > I appriciate your pedantism but in the end it really doesn't matter very
> > much. This is, aiui anyway, the way Debian interprets the various
> > licenses. You're welcome to your own interpretation.
>
> That was my point --- that it isn't clear what "additional restrictions"
> are, and that an advertizing clause or additional license can be
> interpreted as the same thing.

Somehow I don't think a statement requiring you to put some guys name
in all your advertising material is the same as requiring you to
preserve the copyright notice.

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.

Martijn van Oosterhout wrote:
-- Start of PGP signed section.
> On Sat, Dec 30, 2006 at 05:03:23PM -0500, Bruce Momjian wrote:
> > > I appriciate your pedantism but in the end it really doesn't matter very
> > > much. This is, aiui anyway, the way Debian interprets the various
> > > licenses. You're welcome to your own interpretation.
> >
> > That was my point --- that it isn't clear what "additional restrictions"
> > are, and that an advertizing clause or additional license can be
> > interpreted as the same thing.
>
> Somehow I don't think a statement requiring you to put some guys name
> in all your advertising material is the same as requiring you to
> preserve the copyright notice.

Agreed, but the words "additional restrictions" make no distinction on
the magnitude of additional restrictions.

--
Bruce Momjian bruce(at)momjian(dot)us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

Tom Lane wrote:

>What basically bothers me about this is that trying to support both the
>OpenSSL and GNUTLS APIs is going to be an enormous investment of
>development and maintenance effort, because it's such a nontrivial thing
>
>
Fascinating thread for the holidays. I found it interesting that nobody
has mentioned
NSS (former Netscape SSL library). It has its own bag of problems of
course, but
for me is potentially more attractive than GNU TLS. e.g. it has FIPS-140
certification
and is actively under development by a software company with significant
resources.
It's also very widely deployed. I'm not saying that OpenSSL is bad (it'd
probably be my
first choice), just that there is another option besides GNU TLS.

BTW, if I may throw more gas on the licence debate flames -- the
OpenLDAP client library
depends on OpenSSL, and almost everything depends on OpenLDAP (e.g. PAM,
SASL,
any LDAP-enabled app). In 2003 Steven Frost submitted patches to the OL
code to
add GNU TLS support, but as far as I can tell that code is still not in
the current OpenLDAP
tree. Perhaps Steven could tell us what happened to that effort.

* David Boreham (david_list(at)boreham(dot)org) wrote:
> Fascinating thread for the holidays. I found it interesting that nobody
> has mentioned
> NSS (former Netscape SSL library). It has its own bag of problems of
> course, but
> for me is potentially more attractive than GNU TLS. e.g. it has FIPS-140
> certification
> and is actively under development by a software company with significant
> resources.
> It's also very widely deployed. I'm not saying that OpenSSL is bad (it'd
> probably be my
> first choice), just that there is another option besides GNU TLS.

Not sure what license that's under, but I don't know of any particular
reason it wouldn't be an option other than the work for GNUTLS has
already been done.

> BTW, if I may throw more gas on the licence debate flames -- the
> OpenLDAP client library
> depends on OpenSSL, and almost everything depends on OpenLDAP (e.g. PAM,
> SASL,
> any LDAP-enabled app). In 2003 Steven Frost submitted patches to the OL
> code to
> add GNU TLS support, but as far as I can tell that code is still not in
> the current OpenLDAP
> tree. Perhaps Steven could tell us what happened to that effort.

OpenLDAP upstream didn't want to accept the patch since it was written
by someone other than the person submitting it (Steve Langasek was the
original author). So Debian applied the patch locally and then it got
out of sync with OpenLDAP over time so now there's an effort underway to
port it to the current OpenLDAP branch (aiui anyway). I forget who's
leading that effort (it's not Steve) but I'm pretty sure the goal is to
have GNUTLS support in the next major version. While there were a few
issues initially with GNUTLS in the OpenLDAP library in Debian it didn't
take long for them to be sorted out and it's been what the OpenLDAP
libraries under Debian have been using for quite some time now...

Thanks,

Stephen

* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> Martijn van Oosterhout wrote:
> > Somehow I don't think a statement requiring you to put some guys name
> > in all your advertising material is the same as requiring you to
> > preserve the copyright notice.
>
> Agreed, but the words "additional restrictions" make no distinction on
> the magnitude of additional restrictions.

It's got nothing to do with the magnitude from Debian's perspective.
If you'd like to think of it like that, that's fine, but don't
misunderstand Debian's position.

Thanks,

Stephen

* Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> Stephen Frost wrote:
> > I appriciate your pedantism but in the end it really doesn't matter very
> > much. This is, aiui anyway, the way Debian interprets the various
> > licenses. You're welcome to your own interpretation.
>
> That was my point --- that it isn't clear what "additional restrictions"
> are, and that an advertizing clause or additional license can be
> interpreted as the same thing.

The point, from Debian's perspective anyway, is that they're *not* the
same thing and one is an 'additional restriction' while the other isn't.
It's pretty clear that the GPL has a clause requiring the distribution
of the license associated with the work while it has no clause which
requires statements in advertising material.

Thanks,

Stephen

On Sat, 2006-12-30 at 22:18 -0500, Stephen Frost wrote:
> * Bruce Momjian (bruce(at)momjian(dot)us) wrote:
> > Stephen Frost wrote:
> > > I appriciate your pedantism but in the end it really doesn't matter very
> > > much. This is, aiui anyway, the way Debian interprets the various
> > > licenses. You're welcome to your own interpretation.
> >
> > That was my point --- that it isn't clear what "additional restrictions"
> > are, and that an advertizing clause or additional license can be
> > interpreted as the same thing.
>
> The point, from Debian's perspective anyway, is that they're *not* the
> same thing and one is an 'additional restriction' while the other isn't.
> It's pretty clear that the GPL has a clause requiring the distribution
> of the license associated with the work while it has no clause which
> requires statements in advertising material.

Well as has been stated previously by multiple members of this project.
We do not currently see an issue with the licensing and we do not see a
need to further our maintability with GNU TLS.

At this point the argument is just going in circles and is not
productive, secondly at this point it also seems more of an advocacy
discussion than a Hackers discussion. If we wish to continue can we move
it to that list please?

Sincerely,

Joshua D. Drake

--

=== The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
Providing the most comprehensive PostgreSQL solutions since 1997
http://www.commandprompt.com/

Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate

On Sat, Dec 30, 2006 at 05:03:23PM -0500, Bruce Momjian wrote:
> Stephen Frost wrote:
> > I appriciate your pedantism but in the end it really doesn't matter very
> > much. This is, aiui anyway, the way Debian interprets the various
> > licenses. You're welcome to your own interpretation.
> That was my point --- that it isn't clear what "additional restrictions"
> are, and that an advertizing clause or additional license can be
> interpreted as the same thing.

Breaking my claim of silence - I think Stephen has presented the Debian
interpretation, but qualified several times that Debian may be incorrect.

I spent quite a lot of thread space on exactly this issue - that forcing
an additional license to be imposed on the user, is indeed an additional
restriction. People either get it or they don't. It would either stand up
in court or it wouldn't. :-)

Cheers,
mark

--
mark(at)mielke(dot)cc / markm(at)ncf(dot)ca / markm(at)nortel(dot)com __________________________
. . _ ._ . . .__ . . ._. .__ . . . .__ | Neighbourhood Coder
|\/| |_| |_| |/ |_ |\/| | |_ | |/ |_ |
| | | | | \ | \ |__ . | | .|. |__ |__ | \ |__ | Ottawa, Ontario, Canada

One ring to rule them all, one ring to find them, one ring to bring them all
and in the darkness bind them...

http://mark.mielke.cc/

Hi,

I've just read most of that thread and found it rather disappointing.
I'd just like to add my 2 (or 3) cents:

a) I like to have the freedom to choose what software (under which
licenses) I'm using. Thus I'd like to see GNUTLS supported, as it adds
an additional feature to PostgreSQL per se: the option to choose between
different SSL implementations.

b) The other features of Martijn's patch got completely overseen. Can we
(can you Martijn?) break up the patch into smaller pieces and discuss
single independent features, like querying for parameters of the SSL
connection?

c) I'm disappointed at the way licenses are threated here. Being a
developer myself, I'm looking at licenses as a wish of the author about
how to treat his work and how to credit him. I'd like to follow these
wishes as good as I can, instead of stepping into the grey-area and
playing the 'hopefully-no-one-sues-us' game.

In case of the advertising clause, which is very strong, IMO, I think
most authors didn't want to be as strict as they made it sound in the
license. Or did any of the OpenSSL or libjpeg projects ever try to sue
somebody for not having mentioned them in their advertising materials?

You can ask the authors how they really meant it, probably they will
change the wording or even remove the advertising clause entirely. Or
probably they officially state how they meant their advertising clause
to be interpreted. (I'm not aware of the OpenSSL project doing so. While
the FSF states quite clearly that they don't consider such a restriction
to be respectful to their GPL.)

Following that 'better-safe-than-sorry' philosophy, one could ask if
PostgreSQL shouldn't better include the acknowledgements of OpenSSL (and
MIT Kerberos) in all of their advertising materials...

I fully understand and support Debian's point of view and I'd wish more
people would follow that spirit. We'd have much less cases to fight for
in curt and generally live in a better world (TM).

Regards

Markus

On Sun, Dec 31, 2006 at 03:25:42PM +0100, Markus Schiltknecht wrote:
> b) The other features of Martijn's patch got completely overseen. Can we
> (can you Martijn?) break up the patch into smaller pieces and discuss
> single independent features, like querying for parameters of the SSL
> connection?

If I got a single ounce of feedback on them, sure. The only responses
have involved the licence so far. I won't deny some of the other
features were also controversial.

> In case of the advertising clause, which is very strong, IMO, I think
> most authors didn't want to be as strict as they made it sound in the
> license. Or did any of the OpenSSL or libjpeg projects ever try to sue
> somebody for not having mentioned them in their advertising materials?

Please read the OpenSSL-GPL FAQ. They themselves acknowledge it's a
problem, but claim they fall under the "operating system exception",
which is fine for everyone except the distributor of the operating
system.

http://www.openssl.org/support/faq.html#LEGAL2

They recommend that if you want to use OpenSSL, use a licence other
than the GPL.

Wikipedia also has more information about this.

http://en.wikipedia.org/wiki/OpenSSL

> You can ask the authors how they really meant it, probably they will
> change the wording or even remove the advertising clause entirely. Or
> probably they officially state how they meant their advertising clause
> to be interpreted. (I'm not aware of the OpenSSL project doing so. While
> the FSF states quite clearly that they don't consider such a restriction
> to be respectful to their GPL.)

The original authors have been asked and apparently can't be found or
don't care. I strongly suggest you read the openssl archives before
opening this can of worms. Note the authors involved are no longer part
of OpenSSL, they have another SSL library, so they're probably not
inclined to be nice.

> Following that 'better-safe-than-sorry' philosophy, one could ask if
> PostgreSQL shouldn't better include the acknowledgements of OpenSSL (and
> MIT Kerberos) in all of their advertising materials...

AIUI all compiled distributions of postgresql using openssl do actually
include such. For example the Windows Installer.

> I fully understand and support Debian's point of view and I'd wish more
> people would follow that spirit. We'd have much less cases to fight for
> in curt and generally live in a better world (TM).

We're in the bizarre situation were both Debian and the OpenSSL groups
beleive it is a problem, and postgresql does not. Quite odd.

Have a nice day,
--
Martijn van Oosterhout <kleptog(at)svana(dot)org> http://svana.org/kleptog/
> From each according to his ability. To each according to his ability to litigate.