From owner-freebsd-ports@FreeBSD.ORG  Tue Apr 29 16:18:00 2003
Return-Path: <owner-freebsd-ports@FreeBSD.ORG>
Delivered-To: freebsd-ports@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 4191737B401
	for <freebsd-ports@freebsd.org>; Tue, 29 Apr 2003 16:18:00 -0700 (PDT)
Received: from mail.dt.e-technik.uni-dortmund.de
	(krusty.dt.E-Technik.Uni-Dortmund.DE [129.217.163.1])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 626F143F3F
	for <freebsd-ports@freebsd.org>;
	Tue, 29 Apr 2003 16:17:59 -0700 (PDT)
	(envelope-from ma@dt.e-technik.uni-dortmund.de)
Received: from m2a2.dyndns.org (krusty.dt.e-technik.uni-dortmund.de
	[129.217.163.1])39778A381D	for <freebsd-ports@freebsd.org>;
	Wed, 30 Apr 2003 01:17:58 +0200 (CEST)
Received: by merlin.emma.line.org (Postfix, from userid 500)
	id E2424823FA; Wed, 30 Apr 2003 01:17:53 +0200 (CEST)
To: freebsd-ports@freebsd.org
From: Matthias Andree <ma@dt.e-technik.uni-dortmund.de>
Date: Wed, 30 Apr 2003 01:17:53 +0200
Message-ID: <m3wuhcj3ku.fsf@merlin.emma.line.org>
User-Agent: Gnus/5.09002 (Oort Gnus v0.20) Emacs/21.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: RFC: OpenSSL vs. GNU GPL (affects security/openvpn)?
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
	<mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2003 23:18:00 -0000

Hi,

it has recently been brought to my attention that the OpenVPN package
links against both OpenSSL (which is under a BSD-derived license with
advertising clause) and LZO (which is under the GNU GPL). OpenVPN itself
includes an exception to the GNU GPL allowing linking against OpenSSL.

The OpenVPN developers and Debian packagers (who brought this up first)
haven't yet been able to get special permission or a license change to
link LZO against OpenSSL (they sent a mail to the LZO maintainer in
January), so it seems there are now two options (there is a third one
but I don't consider that viable):

1. declare NOPACKAGE in the Makefile. That way, only the end user
   performs the link, but he doesn't redistribute the code, so the
   advertising clause doesn't bit the GNU GPL (is that correct?). This
   can cause user inconvenience.

2. remove LZO (real-time compression) support from OpenVPN. This can
   cause compatibility problems.

(3. Replace OpenSSL with some similar software that has a license
    compatible with the GPL. GNUTLS is to become something like this,
    but the maturity is unknown.)

How do I go about this now? I tend to use #1. Opinions? Is #1 sufficient
to solve the licensing issue?

-- 
Matthias Andree