[debian-mysql] Bug#921488: libmariadb3: OpenSSL license contamination of GPL reverse-dependencies

Steve Langasek vorlon at debian.org
Wed Feb 6 01:56:00 GMT 2019 

Package: libmariadb3
Version: 1:10.3.12-2
Severity: serious
Affects: w1retap
Justification: renders many Debian packages undistributable

Hello,

It's come to my attention that in buster and unstable, packages which
build-depend on default-libmysqlclient-dev wind up linked against
libmariadb3, which in turn links against OpenSSL (libssl1.1).

This includes software which is licensed under the GPL and uses the MySQL
APIs.  (Example: w1retap)

It is well understood that the OpenSSL license is not "compatible" with the
GPL (either version 2 or 3); and furthermore, Debian has long taken the
position that, unless a license exception is granted by the copyright
holders, a package which is distributed under the GPL must only link to
libraries whose licenses are also GPL-compatible in order for it to be
included in Debian.

There is bug #787118 requesting that mariadb-server use OpenSSL instead of
YaSSL; this bug is still open in the BTS despite the fact that mariadb does
now link against OpenSSL.  This bug also acknowledges the need for a license
exception for MariaDB itself to ship linked against OpenSSL, but the license
compatibility problem for reverse-dependencies of the client library seems
to have been overlooked.

I cannot find any discussion of the switch from yassl to openssl in the
mariadb-10.3 changelog, so as near as I can see, there has been no explicit
consideration of the licensing implications.

I am opening this as a serious bug, since I believe this makes a large and
indeterminate number of packages non-distributable in buster.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                   https://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-mysql-maint/attachments/20190205/6159f7c8/attachment.sig>

More information about the pkg-mysql-maint mailing list