CUPS is now linked against OpenSSL (was: Re: GnuTLS in Debian)
Didier 'OdyX' Raboud
odyx at debian.org
Sat Jan 11 16:55:23 UTC 2014
this "GnuTLS in Debian" thread triggered my switch of the src:cups
package from linking against GnuTLS to now link against OpenSSL. CUPS is
GPL-2 only with an OpenSSL exception.
Today, Andreas rightly pointed to me that this induces a problem (for
Debian) for all GPL-without-OpenSSL-exception programs linked against
libcups2. As far as I understand our current stance on that problem,
GPL-licensed programs without an OpenSSL exception are absolutely
forbidden to link with it, even indirectly.
Now, for the actual situation: I initially switched cups following my
option 0) aka:
0) "move away from GnuTLS as its newer versions are incompatible with
GPL-2, use OpenSSL as cups is allowed to be linked against it"
… but I had overlooked the indirect linking problem.
Now, as far as I understood the thread, there are suggestions floating
around to stop caring about this incompatibility and just consider "as a
project" that OpenSSL is a system library, but this decision hasn't been
formally taken yet.
So as far as CUPS is concerned, I see three ways forward:
1) revert the switch to OpenSSL and link against GnuTLS 2. This
basically postpones the question to the moment when GnuTLS 2 is
removed from Debian. As I understood the thread, GnuTLS 2 is likely
to be removed from testing before the freeze, right?
2) switch to GnuTLS 3. This is not allowed because GnuTLS 3 is GPL-3 and
CUPS is GPL-2 only.
3) report RC bugs against all packages linking against libcups2
which licenses don't allow indirect linking to OpenSSL (mostly GPL-
-without-OpenSSL-exception) and hope that fixes can be found license-
-wise. There are >= 38 packages build-depending on libcups2-dev and
>= 120 packages depending on libcups2. Also, I am not aware of tools
to detect this incompatibility automatically. I also doubt we'll be
able to find solutions for all packages; yet libcups2 is quite
important in desktop stacks.
So there is apparently no good solution on the long-term if the need for
OpenSSL exceptions isn't waived. For now, I'm leaning towards solution
1) to avoid willingly introducing dozens of RC bugs in testing when
libcups2 enters testing (unless I create a "maintainer RC bug" blocked
by all the 3)-created bugs).
I would really welcome opinions and advices on this matter.
Many thanks in advance, cheers,
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 665 bytes
Desc: This is a digitally signed message part.
More information about the Pkg-gnutls-maint