[draft] debian_support.py relicensing under GPL2+ with OpenSSL exception

Sat Jun 21 10:31:36 UTC 2014

Hi Stuart, thanks for your analysis.

On Fri, Jun 20, 2014 at 11:18:18AM +1000, Stuart Prescott wrote:
> I'm unconvinced there is a problem to begin with and relicensing like
> this states that there is a problem. In some way that then sets a
> precedent in the same way an undisputed post to debian-legal is later
> used to set a precedent. (I know that's not how Debian is supposed to
> work, but with licensing matters, that is the de facto procedure.)

I'm convinced there is a license incompatibility problem with a plain,
unconditional, "import hashlib" which is what we had before John's
workaround. (But see below for the [non-]authoritativeness of my
personal legal opinion on this matter.)

OTOH, it seems to me we all agree that the current workaround is sound
from the license POV, but suboptimal from a technical standpoint, due to
its reliance on an internal interface. Still at the technical level,
even though we haven't discussed that explicitly before now, it's hard
to dispute that a plain, unconditional, "import hashlib" is the most
appropriate solution.

The reason I therefore consider relicensing the best option is then that
it gives us the best of the two (legal and technical) worlds.

> Rather than rushing to relicense, I would rather ask the people whose 
> opinion really matters on questions of licence compatibility: ftp-masters. 

I do agree with this, as my legal take on this is certainly not
authoritative for Debian-related purposes.

The next action here is then contacting ftp-master officially, asking
for a ruling, and preferably doing so publicly so that we gain guidance
for future instances of this problem.  Any volunteer for doing so?

(FWIW, I see very unlikely that they rule that unconditional "import
 hashlib" is fine, so what we can get out of this is probably that some
 *conditional* scheme for importing hashlib is "fine". If that would
 result in inducing our users to load, in all but exceptional
 circumstances, the OpenSSL-licensed hashlib module together with the
 GPL-licensed debian_support module, I would consider such a "solution"
 ethically questionable.)

> Further, we would also be deciding that all GPL'd users of stdlib's
> hashlib, urllib, random, threading, multiprocessing, subprocess, os,
> logging, trace, Queue, cookielib, email, uuid, distutils/upload,
> imaplib, poplib, ... (and probably others that I missed) were
> problematic because each of these standard modules directly or
> transitively and sometimes conditionally imports hashlib. (And we'd be
> applying that to transitive use too.)

Yes: the OpenSSL/GPL incompatibility is a mess, and that's kinda old
news :)

> One final comment, you would also need to relicense
> test_debian_support.py, not just debian_support.py

Right, I overlooked that, but I agree they would need to be relicensed
too.

Cheers.
-- 
Stefano Zacchiroli  . . . . . . .  zack at upsilon.cc . . . . o . . . o . o
Maître de conférences . . . . . http://upsilon.cc/zack . . . o . . . o o
Former Debian Project Leader  . . @zack on identi.ca . . o o o . . . o .
« the first rule of tautology club is the first rule of tautology club »
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 811 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-python-debian-maint/attachments/20140621/336abb66/attachment.sig>