afaerber
commented
7 years ago Thanks for catching this. Please see also issue #1.
Closed vagrantc closed 5 years ago
afaerber
commented
7 years ago Thanks for catching this. Please see also issue #1.
vagrantc
commented
5 years ago Would you consider updating the license to add a GPL exception to link against openssl, or otherwise resolve this license issue?
Thanks for considering!
live well, vagrant
afaerber
commented
5 years ago If you could propose a concrete solution, that would help - your links seem rather vague. Any particular SPDX tag to use?
vagrantc
commented
5 years ago Here's an example from the OpenVPN project:
https://spdx.org/licenses/archive/archived_ll_v2.4/openvpn-openssl-exception.html
Though it's very openvpn specific, it looks like the sort of language I've seen recommended.
This lists a variety of license exceptions, not all GPL+OpenSSL related:
https://spdx.org/licenses/archive/archived_ll_v2.4/exceptions-index.html
I'm not sure what best practices with SPDX are for creating one-off license exceptions, since it's essentially a one-off license heavily based on the primary license.
Simply adding the appropriate exception text to the COPYING, or a COPYING.exceptions or LICENSE/LICENSE.exceptions might be the way to actually implement it.
afaerber
commented
5 years ago Resolved by adding SPDX openvpn-openssl-exception.
vagrantc
commented
5 years ago The text of the SPDX openvpn-openssl-exception seems a bit overly specific:
https://spdx.org/licenses/openvpn-openssl-exception.html
"In addition, as a special exception, OpenVPN Technologies, Inc. gives permission..."
I don't think OpenVPN Technologies, Inc. giving permission is appropriate, unless they are the copyright holders of meson-tools, so the license still seems ambiguous to me... though otherwise that exception seems to work. Seems an overly specific license exception to encode in an SPDX identifier.
Simply copying the text of the exception and making COPYING.exceptions, removing the explicit part about OpenVPN Technologies, Inc. would seem safer, though then relying on SPDX identifiers wouldn't exactly be correct. Or spelling out what the intended meaning of "SPDX-License-Identifier: GPL-2.0-or-later WITH openvpn-openssl-exception" means in the README.md would probably suffice, in my opinion.
While attempting to package this for Debian, I realized that this has GPLed code that links against openssl, as described here: https://lintian.debian.org/tags/possible-gpl-code-linked-with-openssl.html
The recommended workaround is to create a license exception: https://www.gnu.org/licenses/gpl-faq.en.html#GPLIncompatibleLibs