globalplatform
globalplatform copied to clipboard
kaoh
Clarify license for GPShell
The gpshell/src/gpshell.c says its license it GPL-v3+ but gpshell/LICENSE suggests it should be LGPL-v3+-with-OpenSSL-exception. Can you clarify this? Since GPL-v3+ may be incompatible with OpenSSL, it would be nice if gpshell/src/gpshell.c was modified to use LGPL-v3+-with-OpenSSL-exception.
LGPL-v3+-with-OpenSSL-exception works for me. Is this the only file affected?
Great!
I would suggest the following:
- Modify gpshell/src/gpshell.c to use LGPLv3+-with-OpenSSL-exception
- Modify ./helloworldapplet/src/main/java/net/sourceforge/globalplatform/jc/helloworld/HelloWorldApplet.java to use LGPLv3+-with-OpenSSL-exception (or just LGPLv3 since it is Java...)
- Add one top-level file COPYING.LESSER with LGPLv3
- Remove */COPYING, */COPYING.LESSER, */LICENSE, */LICENSE.OpenSSL
- Update CMakeLists.txt to for added/removed files above
- Remove ./globalplatform/cmake_modules/copyright.* (unless they are used somehow?)
- Add a small statement in top-level README.md about license of entire package
I assume you have permission from any other license holders to do the re-licensing.
Re-reading source code, I notice almost all *.c *.h files needs to be modified from LGPLv3+ to LGPLv3+-with-OpenSSL-exception too. For example see globalplatform/src/*.c and globalplatform/src/globalplatform/*.h.
But gpshell.c and HelloWorldApplet.java seems to be the only examples using GPLv3+ instead of LGPLv3+.
Btw, except for this licensing concern, the Debian packages should now be in good shape and I'm ready to do the upload into Debian proper once this issue is resolved. I could try to upload without resolving this, by merely letting debian/copyright reflect the somewhat inconsistent licensing information and see if the ftp-masters will object. Package files are available here (see the pipeline to download amd64 binaries built by CI/CD): https://salsa.debian.org/auth-team/globalplatform/
I guess, I did it on purpose. These executables are only executed and not linked. I use the LGPL only for code which is linked.
Sorry, I confused this issue by bringing up other aspects. Let's take a step back.
gpshell/LICENSE says:
/* Copyright (c) 2012, Karsten Ohme
* This file is part of GPShell.
*
* GPShell is free software: you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* GPShell is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with GPShell. If not, see <http://www.gnu.org/licenses/>.
*
* In addition, as a special exception, the copyright holders give
* permission to link the code of portions of this program with the
* OpenSSL library under certain conditions as described in each
* individual source file, and distribute linked combinations
* including the two.
* You must obey the GNU General Public License in all respects
* for all of the code used other than OpenSSL. If you modify
* file(s) with this exception, you may extend this exception to your
* version of the file(s), but you are not obligated to do so. If you
* do not wish to do so, delete this exception statement from your
* version. If you delete this exception statement from all source
* files in the program, then also delete it here.
*/
That looks like LGPLv3+ and an OpenSSL exception added, but the OpenSSL exception says 'You must obey the GNU General Public License in all respects for all of the code used other than OpenSSL.' which clearly is different from LGPLv3+.
Then gpshell/src/gpshell.c says:
/**
* Copyright (c) 2013, Snit Mo, Karsten Ohme
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>
*/
That is plain GPLv3+.
So what is the license of gpshell?
Debian requires careful summaries of license of the code and I don't know how to summarize the license on gpshell.c.
I can ignore gpshell/LICENSE, and only use the header in gpshell/src/gpshell.c which means it is GPLv3. But then my take is that the licensing is unclear, hence the request for clarification.
(The same question applies to files under globalplatform/ too but maybe it helps to take one thing at a time.)
Then the c file should also be LGPLv3+ and an OpenSSL exception
Looking forward to a commit to fix it :)
Since gpshell is an application, and not linked, using GPLv3+-with-OpenSSL-exception is also an option, and more consistent with your other reply that only the linked source code was intended to be LGPLv3+-with-OpenSSL-exception.
GPLv3+ is also an option, since OpenSSL 3.0 has been re-licensed and is not GPL-incompatible.
I don't care what the license should be, but the license claims now are ambiguous.
Thank you -- looks good! -- however gpshell/LICENSE still says 'GNU Lesser General Public License'. I guess that should be 'GNU General Public License'?
Thank you!
In globalplatform/ the LICENSE says LGPLv3+-with-OpenSSL-exception, but several of the src/*.{c,h} files do not have an OpenSSL exception. I think that should be clarified too?
Also in cryptoTest.c there is a spurious '0x' in the first line.
Oh, this got lost. I have updated files where OpenSSL is used. In any other files this makes no sense.
Thanks -- although I believe that since other files in src/*.{c,h} are linked together with OpenSSL the license exception is needed in all of them. Otherwise there is no permission to link together that code together with OpenSSL.
This is still an issue to be able to do a release?
A release would be really good! There is a bunch of things fixed already. If you could add OpenSSL exception to remaining globalplatform/src/ files that would close this issue (I think) but please prioritize a release over fixing this issue.
I have tagged version 2.4.0. This is what you need? I will added Windows binaries in the next days. There is also an Author file, do you want to be included?
I have tagged version 2.4.0. This is what you need? I will added Windows binaries in the next days. There is also an Author file, do you want to be included?
Thank you! I have uploaded 2.4.0 to Debian. I opened https://github.com/kaoh/globalplatform/pull/90 regarding the AUTHORS file.
Ping? I still think a couple of more files in globalplatform/src/ needs to add the OpenSSL exception. I now realize another approach to solve this is to say that OpenSSL v3+ is required, and earlier versions with the bad license is no longer supported. Not sure you want to go there though.
This would be OK for me if then not all files have to be cluttered with text. What would be the approach? Just update the LICENSE files?