CUPS is now linked against OpenSSL (was: Re: GnuTLS in Debian)

Sat Jan 11 16:55:23 UTC 2014

Hi all,

this "GnuTLS in Debian" thread triggered my switch of the src:cups 
package from linking against GnuTLS to now link against OpenSSL. CUPS is 
GPL-2 only with an OpenSSL exception.

Today, Andreas rightly pointed to me that this induces a problem (for 
Debian) for all GPL-without-OpenSSL-exception programs linked against 
libcups2. As far as I understand our current stance on that problem, 
GPL-licensed programs without an OpenSSL exception are absolutely 
forbidden to link with it, even indirectly.

Now, for the actual situation: I initially switched cups following my 
option 0) aka:

0) "move away from GnuTLS as its newer versions are incompatible with
    GPL-2, use OpenSSL as cups is allowed to be linked against it"

… but I had overlooked the indirect linking problem.

Now, as far as I understood the thread, there are suggestions floating 
around to stop caring about this incompatibility and just consider "as a 
project" that OpenSSL is a system library, but this decision hasn't been 
formally taken yet.

So as far as CUPS is concerned, I see three ways forward:

1) revert the switch to OpenSSL and link against GnuTLS 2. This
   basically postpones the question to the moment when GnuTLS 2 is
   removed from Debian. As I understood the thread, GnuTLS 2 is likely
   to be removed from testing before the freeze, right?

2) switch to GnuTLS 3. This is not allowed because GnuTLS 3 is GPL-3 and
   CUPS is GPL-2 only.

3) report RC bugs against all packages linking against libcups2
   which licenses don't allow indirect linking to OpenSSL (mostly GPL-
   -without-OpenSSL-exception) and hope that fixes can be found license-
   -wise. There are >= 38 packages build-depending on libcups2-dev and
   >= 120 packages depending on libcups2. Also, I am not aware of tools 
   to detect this incompatibility automatically. I also doubt we'll be
   able to find solutions for all packages; yet libcups2 is quite
   important in desktop stacks.

So there is apparently no good solution on the long-term if the need for 
OpenSSL exceptions isn't waived. For now, I'm leaning towards solution 
1) to avoid willingly introducing dozens of RC bugs in testing when 
libcups2 enters testing (unless I create a "maintainer RC bug" blocked 
by all the 3)-created bugs).

I would really welcome opinions and advices on this matter.

Many thanks in advance, cheers,

OdyX
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20140111/56fa7669/attachment.sig>