docsis
docsis copied to clipboard
rlaager
deb packaging
I am looking for someone to take the ownership of the deb packaging and submit it to Debian package management system.
Sadly that's not possible due to licensing issues. The code links against SSL and there is a license incompatibility because the code is GPL without SSL exception. If someone pushes it to the archive it would be rejected by FTP masters. That's the reason I removed the package from Debian.
The only way to have it back is asking the original developer to change the license, at least as a part of a public discussion (mailing list, bug report, etc).
Unfortunately I am not an expert in licensing, can you please be more specific to which license do you want the original to agree?
It should add the OpenSSL exception to the license. Check the mailing list's archives, I think I've discussed it there.
"This program is released under the GPL with the additional exemption that compiling, linking, and/or using OpenSSL is allowed."
Should this statement be enough?
GnuTLS, at least at one time, had an OpenSSL compatibility interface. It may be possible to build against that. Are we sure that this application still uses OpenSSL though? I know I accepted a patch that dealt with some of this.
Guys, I discussed it with Cornel (the original developer) and we think the following PUSH might somehow fix this issue:
https://github.com/AdrianSimionov/docsis/commit/17939f105b74c8be540d18a3d29907607a71d690
It basically adds the following text to all source files.
* This program is released under the GPL with the additional exemption that
* compiling, linking, and/or using OpenSSL is allowed.
*
From our understanding this should be enough to be compliant for Debian. What do you think Richard, should we go ahead with this change?
On Monday 20 April 2015 04:18:10 Adrian Simionov wrote:
Guys, I discussed it with Cornel (the original developer) and we think the following PUSH might somehow fix this issue:
https://github.com/AdrianSimionov/docsis/commit/17939f105b74c8be540d18a3d29 907607a71d690
It basically adds the following text to all source files.
* This program is released under the GPL with the additional exemptionthat * compiling, linking, and/or using OpenSSL is allowed. *
From our understanding this should be enough to be compliant for Debian. What do you think Richard, should we go ahead with this change?
Hi Adrian and Richard! I am not a lawyer, but sadly as I understand it it's not enough. Cornel should either be the author of the commit or at least mail some public list (or this bug itself) acknowledging the change.
Kinds regards, Lisandro.
Vió, buteó y andó
Lisandro Damián Nicanor Pérez Meyer http://perezmeyer.com.ar/ http://perezmeyer.blogspot.com/
@perezmeyer: And what happens when the developers die or are not interested at all in the projects? :) Debian does not accept the projects anymore? It looks weird to me.
I spoke with Cornel (as some might know, we work together) and he suggested these changes. He is not really interested anymore in the project and I do not expect him to do any public statements about it.
@AdrianSimionov it's not Debian, it's lawyers. No, I really don't know what happens in those cases. All I know is that the change must be at least publicly ACKed by the original upstream. Tip: you might also consider to ask Cornel to give someone else copyright assignment to reduce the bus factor ;)
Any chance you could get any sort of email from him on this topic? Even just a "yes" or "ok" in response to you asking if adding the OpenSSL exception is okay would help.
In any event, the commit message needs to document that you spoke direct to him and he agreed to the license change. You can say I agree as well. I'm not sure how much copyright able code I have contributed.
We also need to look at the commit history to see who else needs to agree.
Richard
I would propose to leave this open and see how will evolve. I do not have the time and patience to fight for it. If Cornel will decide to become again public regarding open-source projects, we will hear from it for sure.
@perezmeyer What if we move this package to contrib or non-free?
I want it there as a convenient way for the users to install it.
On Tuesday 19 May 2015 12:16:58 Adrian Simionov wrote:
@perezmeyer What if we move this package to contrib or non-free?
I want it there as a convenient way for the users to install it.
License incompatibility is not non-free: it's incompatible. We can't distribute it.
When the winds of change are blowing, some people are building shelters, and others are building windmills. Old Chinese Proverb
Lisandro Damián Nicanor Pérez Meyer http://perezmeyer.com.ar/ http://perezmeyer.blogspot.com/
I looked into this a bit. The fix should be pretty straightforward. The only use of OpenSSL is for SHA1 in src/docsis.c. Just bring in a differently-licensed sha1 implementation, which was already done for md5.c.
I know we use net-snmp and my understanding was that net-snmp links against OpenSSL. I do not exactly know how does it work in this specific case.
@perezmeyer Is it sufficient that docsis itself not use OpenSSL? https://github.com/rlaager/docsis/compare/remove-openssl
Or is the issue that no GPL-licensed applications can link to net-snmp?
I just received the email about licensing; I'm not particularly familiar with the issue, so either is fine with me.
I also received an email about this issue. I welcome the effort to change the project so it becomes Debian compliant.
That said, I hereby give you the right to use the patch I have submitted to this project in the past without any restrictions.
Linking without -lcrypto gives:
Undefined symbols for architecture x86_64: "_SHA1_Final", referenced from: _add_mta_hash in docsis.o "_SHA1_Init", referenced from: _add_mta_hash in docsis.o "_SHA1_Update", referenced from: _add_mta_hash in docsis.o
It would be better to solve this problem by importing either a BSD licensed or public domain SHA1 implementation and remove the dependency on openssl. This would sidestep any future licensing problems and there would also be no requirement to get agreement from all the contributors. It would also make it slightly easier to compile docsis on several platforms, including os/x.
or GPLv2, as the case may be. Here's a GPLv2 implementation:
https://github.com/vishvananda/open-iscsi/blob/master/usr/sha1.c https://github.com/vishvananda/open-iscsi/blob/master/usr/sha1.h
@nickhilliard: I've already attached a branch with a commit that replaces the SHA1 implementation. The license exception request is because that may not be sufficient. If Debian argues that a GPL docsis can't link to net-snmp because net-snmp links to OpenSSL, then we would need the OpenSSL exception. Are you okay with adding the exception?
As far as I understand it also need to avoid linking trough net-snmp, so the OpenSSL exception would still be needed. Anyways it's a great step forward to replace the SHA1 implementation.
Another possible work around is adding a private executable that links against net-snmp and make docsis call the executable to get stuff done. This new executable should have the OpenSSL exception, but not docsis.
That being said I'm no longer using docsis, so I no longer have no incentive in maintaining it in Debian. But if any of you feels like doing it I'll happy to mentor and sponsor the package.
