[U-Boot] u-boot Licensing exception with OpenSSL

[U-Boot] u-boot Licensing exception with OpenSSL

[Vagrant Cascadian]

There are a few targets (clearfog, turris_omnia) and features (signing
in mkimage) in the Debian build of u-boot that have been avoided due to
lack of clarity on Licensing issues regarding GPL and OpenSSL
compatibility issues.

A reasonable description of the issue GPL linking against OpenSSL issue:

  https://people.gnome.org/~markmc/openssl-and-the-gpl.html


It seems like Licenses/Exceptions might be attempting to address this
issue, but it is not absolutely clear that this applies to linking
against OpenSSL:

GPL License Exception:

  Even though U-Boot in general is covered by the GPL-2.0/GPL-2.0+,
  this does *not* cover the so-called "standalone" applications that
  use U-Boot services by means of the jump table provided by U-Boot
  exactly for this purpose - this is merely considered normal use of
  U-Boot, and does *not* fall under the heading of "derived work".

    The header files "include/image.h" and "arch/*/include/asm/u-boot.h"
  define interfaces to U-Boot.  Including these (unmodified) header
  files in another file is considered normal use of U-Boot, and does
  *not* fall under the heading of "derived work".
  -- Wolfgang Denk


Some recommended text to apply an explicit exemption for GPL+OpenSSL:

  https://lists.debian.org/debian-legal/2004/05/msg00595.html
  https://doc.qt.io/qt-5/qtnetwork-index.html#licenses-and-attributions

Some example text taken from
https://sources.debian.net/src/offlineimap/7.1.2%2Bdfsg1-1/COPYING/#L353

 In addition, as a special exception, the copyright holders give
 permission to link the code of portions of this program with the OpenSSL
 library under certain conditions as described in each individual source
 file, and distribute linked combinations including the two.
 .
 You must obey the GNU General Public License in all respects for all of
 the code used other than OpenSSL. If you modify file(s) with this
 exception, you may extend this exception to your version of the file(s),
 but you are not obligated to do so. If you do not wish to do so, delete
 this exception statement from your version. If you delete this exception
 statement from all source files in the program, then also delete it
 here.


If most explicit clarification could be made on this issue, ideally
through commits to u-boot git, I would be able to enable more features
in the u-boot packages in Debian!

Thanks!

live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20171125/bd0997c7/attachment.sig>

[U-Boot] u-boot Licensing exception with OpenSSL

[Tom Rini]

On Sat, Nov 25, 2017 at 12:50:47PM -0800, Vagrant Cascadian wrote:

> There are a few targets (clearfog, turris_omnia) and features (signing
> in mkimage) in the Debian build of u-boot that have been avoided due to
> lack of clarity on Licensing issues regarding GPL and OpenSSL
> compatibility issues.
> 
> A reasonable description of the issue GPL linking against OpenSSL issue:
> 
>   https://people.gnome.org/~markmc/openssl-and-the-gpl.html
> 
> 
> It seems like Licenses/Exceptions might be attempting to address this
> issue, but it is not absolutely clear that this applies to linking
> against OpenSSL:
> 
> GPL License Exception:
> 
>   Even though U-Boot in general is covered by the GPL-2.0/GPL-2.0+,
>   this does *not* cover the so-called "standalone" applications that
>   use U-Boot services by means of the jump table provided by U-Boot
>   exactly for this purpose - this is merely considered normal use of
>   U-Boot, and does *not* fall under the heading of "derived work".
> 
>     The header files "include/image.h" and "arch/*/include/asm/u-boot.h"
>   define interfaces to U-Boot.  Including these (unmodified) header
>   files in another file is considered normal use of U-Boot, and does
>   *not* fall under the heading of "derived work".
>   -- Wolfgang Denk
> 
> 
> Some recommended text to apply an explicit exemption for GPL+OpenSSL:
> 
>   https://lists.debian.org/debian-legal/2004/05/msg00595.html
>   https://doc.qt.io/qt-5/qtnetwork-index.html#licenses-and-attributions
> 
> Some example text taken from
> https://sources.debian.net/src/offlineimap/7.1.2%2Bdfsg1-1/COPYING/#L353
> 
>  In addition, as a special exception, the copyright holders give
>  permission to link the code of portions of this program with the OpenSSL
>  library under certain conditions as described in each individual source
>  file, and distribute linked combinations including the two.
>  .
>  You must obey the GNU General Public License in all respects for all of
>  the code used other than OpenSSL. If you modify file(s) with this
>  exception, you may extend this exception to your version of the file(s),
>  but you are not obligated to do so. If you do not wish to do so, delete
>  this exception statement from your version. If you delete this exception
>  statement from all source files in the program, then also delete it
>  here.
> 
> 
> If most explicit clarification could be made on this issue, ideally
> through commits to u-boot git, I would be able to enable more features
> in the u-boot packages in Debian!

So, the most likely thing that could be accomplished (as I don't see how
we could add exemptions without some legal consult) would be to re-write
the small areas in question to use libgnutls rather than openssl for
checking the certificates, etc.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20171204/1fd34872/attachment.sig>

[U-Boot] u-boot Licensing exception with OpenSSL

[Vagrant Cascadian]

On 2017-12-04, Tom Rini wrote:
> On Sat, Nov 25, 2017 at 12:50:47PM -0800, Vagrant Cascadian wrote:
>
>> There are a few targets (clearfog, turris_omnia) and features (signing
>> in mkimage) in the Debian build of u-boot that have been avoided due to
>> lack of clarity on Licensing issues regarding GPL and OpenSSL
>> compatibility issues.
...
> So, the most likely thing that could be accomplished (as I don't see how
> we could add exemptions without some legal consult) would be to re-write
> the small areas in question to use libgnutls rather than openssl for
> checking the certificates, etc.

Thanks for the response!

Yes, adding an exception would require, at the very least, tracking down
all copyright holders to the portions of the code that include openssl
headers and/or code...

Switching to gnutls would definitely be an ideal solution from my
perspective packaging u-boot in Debian, though I'm not sure I can
personally commit to making it happen.

A rough starting point for which code may need to be modified:

  $ git grep -i include.*openssl
  include/image.h:# include  <openssl/evp.h>
  lib/rsa/rsa-sign.c:#include <openssl/bn.h>
  lib/rsa/rsa-sign.c:#include <openssl/rsa.h>
  lib/rsa/rsa-sign.c:#include <openssl/pem.h>
  lib/rsa/rsa-sign.c:#include <openssl/err.h>
  lib/rsa/rsa-sign.c:#include <openssl/ssl.h>
  lib/rsa/rsa-sign.c:#include <openssl/evp.h>
  lib/rsa/rsa-sign.c:#include <openssl/engine.h>
  tools/kwbimage.c:#include <openssl/bn.h>
  tools/kwbimage.c:#include <openssl/rsa.h>
  tools/kwbimage.c:#include <openssl/pem.h>
  tools/kwbimage.c:#include <openssl/err.h>
  tools/kwbimage.c:#include <openssl/evp.h>
  tools/mxsimage.c:#include <openssl/evp.h>


live well,
  vagrant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20171205/0a7aec6b/attachment.sig>