[Pkg-ossec-devel] [ossec-dev] OpenSSL exception

Javier Fernández-Sanguino Peña jfs at computer.org
Wed Aug 3 21:47:11 UTC 2011 

On Wed, Aug 03, 2011 at 11:37:54AM -0300, Daniel Cid wrote:
> So what exactly needs to be added to the license? I will send that to
> the Trend team for addition...

I believe the following text should do it:

"In addition, as a special exception, the copyright holders give permission
to link the code of portions of this program with the OpenSSL library under
certain conditions as described in each individual source file, and
distribute linked combinations including the two.

You must obey the GNU General Public License in all respects for all of the
code used other than OpenSSL. If you modify file(s) with this exception, you
may extend this exception to your version of the file(s), but you are not
obligated to do so. If you do not wish to do so, delete this exception
statement from your version. If you delete this exception statement from all
source files in the program, then also delete it here."

This should be added in the header of source files that link to OpenSSL. See
attached example file (gpl-openssl-header.txt) for a header.

In addition, to clarify the situation, the attached file LICENSE.OpenSSL
could be added to the source code's alongside the LICENSE file

For more information see:
 - http://people.gnome.org/~markmc/openssl-and-the-gpl.html
 - http://lists.debian.org/debian-legal/2004/05/msg00595.html

> Also, OpenSSL doesn't need to be added (and everything should work
> fine). In fact, that's how we support
> systems without openssl-dev installed... We just link to it for small
> performance gains (when generating the
> sha1 hashes).

In OSSEC you are actually embedding OpenSSL code directly, so the exception
is required, regardless of whether (in the build) the code links to the
OpenSSL's system libraries or to the OpenSSL code built from the OpenSSL
code you include.

More specifically, the files src/os_crypto/sha1/md32_common.h,
src/os_crypto/sha1/sha.h, and src/os_crypto/sha1/sha_locl.h seem to come
straight form the OpenSSL library.

This being the case, the license exception needs to be added. If you want to
prevent this exception then you could replace the OpenSSL implementation and
use the GNU TLS library, which provides the same functions you use. This
library is GPL-compatible.

Historically, some projects have decided in the past to move from the OpenSSL
library to the GNU TLS because of these license incompatibilities.


Regards


Javier






-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 190 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-ossec-devel/attachments/20110803/02676965/attachment.pgp>

More information about the Pkg-ossec-devel mailing list