Can't redistribute result of linking with Xapian and OpenSSL

[ojwb]

Forwarded from https://bugs.debian.org/833692

Bad news everyone - pinot links libxapian (which is GPLv2+) and openssl (which has a GPLv2+-incompatible advertising clause in its licence) into the same binary:

$ ldd /usr/lib/pinot/backends/libxapianbackend.so|grep 'xapian\|ssl'
        libssl.so.1.0.2 => /usr/lib/x86_64-linux-gnu/libssl.so.1.0.2 (0x00007f079530e000)
  libxapian.so.22 => /usr/lib/x86_64-linux-gnu/libxapian.so.22 (0x00007f0794aa6000)
$ dpkg -S /usr/lib/pinot/backends/libxapianbackend.so
pinot: /usr/lib/pinot/backends/libxapianbackend.so

I'm part of Xapian upstream, and with that hat on I can say we aren't able to add an exception clause to the licence as there are copyright holders who aren't interested in relicensing.

In the long term we're hoping to eliminate the non-relicensable code from libxapian and release it under a more liberal licence, but that's not imminent - a shorter-term way to resolve this for pinot in Debian is needed.

It looks to me like you can probably build-depend on libcurl4-gnutls-dev or libcurl4-nss-dev instead of libcurl4-openssl-dev (and drop libssl-dev) except that the upstream configure script thinks it needs openssl if curl-config --features|grep -i SSL is non-empty.

The part of this that's especially relevant upstream is that the configure test for when OpenSSL is needed seems to be wrong in some cases, making it harder to build binaries you can actually distribute.

But if it's feasible, avoiding using the combination of Xapian and OpenSSL would be good with the licensing of each as it currently is.

[ojwb]

FWIW, it seems OpenSSL is intending to relicense as Apache v2:

https://www.openssl.org/blog/blog/2015/08/01/cla/

Though that was 18 months ago and there's no public update I can see.

[ojwb]

Looks like this was addressed in 3a40d5abe159a106f3aabaedf1a199020946b3b5 so closing.