CUPS is now linked against OpenSSL (and will stay GPLv2-only)

roucaries bastien roucaries.bastien+debian at gmail.com
Tue Jan 14 10:21:04 UTC 2014 

On Tue, Jan 14, 2014 at 10:53 AM, Didier 'OdyX' Raboud <odyx at debian.org> wrote:
> Le lundi, 13 janvier 2014, 17.38:12 Didier Raboud a écrit :
>> Le samedi, 11 janvier 2014, 14.22:28 Daniel Kahn Gillmor a écrit :
>> >  0) ask CUPS to move from GPL2 to GPL2+ (with or without OpenSSL
>> >     exception)
>>
>> As asking generally can't hurt, I have filed
>> https://cups.org/str.php?L4337 on the upstream bugtracker to discuss
>> that. I'll keep the list posted.
>
> The answer came back faster than I expected and is public [1], I'm
> quoting it here for completeness' sake:
>
> Le lundi, 13 janvier 2014, 14:24:33 Michael Sweet a écrit :
>> We cannot, for a number of legal and (Apple) liability reasons,
>> relicense CUPS as [L]GPL2+.  It will never happen.
>>
>> OpenSSL support has been removed from the CUPS 2.0 source code and is
>> not an option.
>>
>> That leaves you with using GnuTLS ([L]GPL2/3) or porting Apple's
>> CDSA/Security code (Apache license), although the Apache license may
>> not be GPL3 compatible according to the FSF.  Given that GnuTLS is
>> included with basically every Linux distribution as a standard OS
>> component, it SHOULD automatically fall under the [L]GPL2/3 exception
>> for system libraries (just as OpenSSL should have fallen under the
>> same exception...)  If not, then I humbly suggest you talk to the FSF.
>
> Now, for the set of options he described:
>
> 1) OpenSSL
>    As he claims that OpenSSL has been removed from the master CUPS
>    branch, I think that this, by itself, disqualifies the linking of
>    libcups2 against OpenSSL, as it would be a dead end.
>
> 2) GnuTLS
>    2.x is useable but deprecated, 3.x is GPLv3+ through GMP. We're back
>    to "talk to the FSF to license GMP back to LGPLv2+"
>
> 3) Apple CDSA / libsecurity
>    From [1], this is currently being deprecated by Apple from OSX v10.7.
>    Also, it licensed under the APSL [Apple Public Source License] which
>    is incompatible with the GPL. It isn't packaged in Debian as far as I
>    could find.

4/ Port to lib nss using  comptability layer.


> So in the current situation, I don't see any good long-term solution but
> a port to another license-compatible library such as polarssl…
>
> Cheers,
> OdyX
>
> [1] And GPG-signed:
>     http://www.cups.org/pipermail/cups-devel/2014-January/014768.html
>
> --
> debian-science-maintainers mailing list
> debian-science-maintainers at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/debian-science-maintainers

More information about the debian-science-maintainers mailing list