2
0

DISTRO-DILEMMA 7.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176
  1. Date: February 11, 2007
  2. Author: Daniel Stenberg <daniel@haxx.se>
  3. URL: http://curl.haxx.se/legal/distro-dilemma.html
  4. Condition
  5. This document is written to describe the situation as it is right now.
  6. libcurl 7.16.1 is currently the latest version available. Things may of
  7. course change in the future.
  8. This document reflects my view and understanding of these things. Please tell
  9. me where and how you think I'm wrong, and I'll try to correct my mistakes.
  10. Background
  11. The Free Software Foundation has deemed the Original BSD license[1] to be
  12. "incompatible"[2] with GPL[3]. I'd rather say it is the other way around, but
  13. the point is the same: if you distribute a binary version of a GPL program,
  14. it MUST NOT be linked with any Original BSD-licensed parts or libraries.
  15. Doing so will violate the GPL license. For a long time, very many GPL
  16. licensed programs have avoided this license mess by adding an exception[8] to
  17. their license. And many others have just closed their eyes for this problem.
  18. libcurl is MIT-style[4] licensed - how on earth did this dilemma fall onto
  19. our plates?
  20. libcurl is only a little library. libcurl can be built to use OpenSSL for its
  21. SSL/TLS capabilities. OpenSSL is basically Original BSD licensed[5].
  22. If libcurl built to use OpenSSL is used by a GPL-licensed application and you
  23. decide to distribute a binary version of it (Linux distros - for example -
  24. tend to), you have a clash. GPL vs Original BSD.
  25. This dilemma is not libcurl-specific nor is it specific to any particular
  26. Linux distro. (This article mentions and refers to Debian several times, but
  27. only because Debian seems to be the only Linux distro to have faced this
  28. issue yet since no other distro is shipping libcurl built with two SSL
  29. libraries.)
  30. Part of the Operating System
  31. This would not be a problem if the used lib would be considered part of the
  32. underlying operating system, as then the GPL license has an exception
  33. clause[6] that allows applications to use such libs without having to be
  34. allowed to distribute it or its sources. Possibly some distros will claim
  35. that OpenSSL is part of their operating system.
  36. Debian does however not take this stance and has officially(?) claimed that
  37. OpenSSL is not a required part of the Debian operating system
  38. Some people claim that this paragraph cannot be exploited this way by a Linux
  39. distro, but I am not a lawyer and that is a discussion left outside of this
  40. document.
  41. GnuTLS
  42. Since May 2005 libcurl can get built to use GnuTLS instead of OpenSSL. GnuTLS
  43. is an LGPL[7] licensed library that offers a matching set of features as
  44. OpenSSL does. Now, you can build and distribute an TLS/SSL capable libcurl
  45. without including any Original BSD licensed code.
  46. I believe Debian is the first (only?) distro that provides libcurl/GnutTLS
  47. packages.
  48. yassl
  49. libcurl can get also get built to use yassl for the TLS/SSL layer. yassl is a
  50. GPL[3] licensed library.
  51. GnuTLS vs OpenSSL vs yassl
  52. While these three libraries offer similar features, they are not equal.
  53. libcurl does not (yet) offer a standardized stable ABI if you decide to
  54. switch from using libcurl-openssl to libcurl-gnutls or vice versa. The GnuTLS
  55. and yassl support is very recent in libcurl and it has not been tested nor
  56. used very extensively, while the OpenSSL equivalent code has been used and
  57. thus matured since 1999.
  58. GnuTLS
  59. - LGPL licensened
  60. - supports SRP
  61. - lacks SSLv2 support
  62. - lacks MD2 support (used by at least some CA certs)
  63. - lacks the crypto functions libcurl uses for NTLM
  64. OpenSSL
  65. - Original BSD licensened
  66. - lacks SRP
  67. - supports SSLv2
  68. - older and more widely used
  69. - provides crypto functions libcurl uses for NTLM
  70. - libcurl can do non-blocking connects with it in 7.15.4 and later
  71. yassl
  72. - GPL licensed
  73. - much untested and unproven in the real work by (lib)curl users so we don't
  74. know a lot about restrictions or benefits from using this
  75. The Better License, Original BSD, GPL or LGPL?
  76. It isn't obvious or without debate to any objective interested party that
  77. either of these licenses are the "better" or even the "preferred" one in a
  78. generic situation.
  79. Instead, I think we should accept the fact that the SSL/TLS libraries and
  80. their different licenses will fit different applications and their authors
  81. differently depending on the applications' licenses and their general usage
  82. pattern (considering how GPL and LGPL libraries for example can be burdensome
  83. for embedded systems usage).
  84. In Debian land, there seems to be a common opinion that LGPL is "maximally
  85. compatible" with apps while Original BSD is not. Like this:
  86. http://lists.debian.org/debian-devel/2005/09/msg01417.html
  87. More SSL Libraries
  88. In libcurl, there's no stopping us here. There are more Open Source/Free
  89. SSL/TLS libraries out there and we would very much like to support them as
  90. well, to offer application authors an even wider scope of choice.
  91. Application Angle of this Problem
  92. libcurl is built to use one SSL/TLS library. It uses a single fixed name (by
  93. default) on the built/created lib file, and applications are built/linked to
  94. use that single lib. Replacing one libcurl instance with another one that
  95. uses the other SSL/TLS library might break one or more applications (due to
  96. ABI differences and/or different feature set). You want your application to
  97. use the libcurl it was built for.
  98. Project cURL Angle of this Problem
  99. We distribute libcurl and everyone may build libcurl with either library at
  100. their choice. This problem is not directly a problem of ours. It merely
  101. affects users - GPL application authors only - of our lib as it comes
  102. included and delivered on some distros.
  103. libcurl has different ABI when built with different SSL/TLS libraries due to
  104. these reasons:
  105. 1. No one has worked on fixing this. The mutex/lock callbacks should be set
  106. with a generic libcurl function that should use the proper underlying
  107. functions.
  108. 2. The CURLOPT_SSL_CTX_FUNCTION option is not possible to "emulate" on GnuTLS
  109. but simply requires OpenSSL.
  110. 3. There might be some other subtle differences just because nobody has yet
  111. tried to make a fixed ABI like this.
  112. Distro Angle of this Problem
  113. To my knowledge there is only one distro that ships libcurl built with either
  114. OpenSSL or GnuTLS.
  115. Debian Linux is now (since mid September 2005) providing two different
  116. libcurl packages, one for libcurl built with OpenSSL and one built with
  117. GnuTLS. They use different .so names and can this both be installed in a
  118. single system simultaneously. This has been said to be a transitional system
  119. not desired to keep in the long run.
  120. Footnotes
  121. [1] = http://www.xfree86.org/3.3.6/COPYRIGHT2.html#6
  122. [2] = http://www.fsf.org/licensing/essays/bsd.html
  123. [3] = http://www.fsf.org/licensing/licenses/gpl.html
  124. [4] = http://curl.haxx.se/docs/copyright.html
  125. [5] = http://www.openssl.org/source/license.html
  126. [6] = http://www.fsf.org/licensing/licenses/gpl.html end of section 3
  127. [7] = http://www.fsf.org/licensing/licenses/lgpl.html
  128. [8] = http://en.wikipedia.org/wiki/OpenSSL_exception
  129. Feedback/Updates provided by
  130. Eric Cooper