afaerber/meson-tools

License issue with OpenSSL and GPL

vagrantc opened this issue · 6 comments

While attempting to package this for Debian, I realized that this has GPLed code that links against openssl, as described here:
https://lintian.debian.org/tags/possible-gpl-code-linked-with-openssl.html

The recommended workaround is to create a license exception:
https://www.gnu.org/licenses/gpl-faq.en.html#GPLIncompatibleLibs

Thanks for catching this. Please see also issue #1.

Would you consider updating the license to add a GPL exception to link against openssl, or otherwise resolve this license issue?

Thanks for considering!

live well,
vagrant

If you could propose a concrete solution, that would help - your links seem rather vague. Any particular SPDX tag to use?

Here's an example from the OpenVPN project:

https://spdx.org/licenses/archive/archived_ll_v2.4/openvpn-openssl-exception.html

Though it's very openvpn specific, it looks like the sort of language I've seen recommended.

This lists a variety of license exceptions, not all GPL+OpenSSL related:

https://spdx.org/licenses/archive/archived_ll_v2.4/exceptions-index.html

I'm not sure what best practices with SPDX are for creating one-off license exceptions, since it's essentially a one-off license heavily based on the primary license.

Simply adding the appropriate exception text to the COPYING, or a COPYING.exceptions or LICENSE/LICENSE.exceptions might be the way to actually implement it.

Resolved by adding SPDX openvpn-openssl-exception.

The text of the SPDX openvpn-openssl-exception seems a bit overly specific:

https://spdx.org/licenses/openvpn-openssl-exception.html

"In addition, as a special exception, OpenVPN Technologies, Inc. gives permission..."

I don't think OpenVPN Technologies, Inc. giving permission is appropriate, unless they are the copyright holders of meson-tools, so the license still seems ambiguous to me... though otherwise that exception seems to work. Seems an overly specific license exception to encode in an SPDX identifier.

Simply copying the text of the exception and making COPYING.exceptions, removing the explicit part about OpenVPN Technologies, Inc. would seem safer, though then relying on SPDX identifiers wouldn't exactly be correct. Or spelling out what the intended meaning of "SPDX-License-Identifier: GPL-2.0-or-later WITH openvpn-openssl-exception" means in the README.md would probably suffice, in my opinion.