Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Clarify license for GPShell #81

Open
jas4711 opened this issue Oct 6, 2023 · 20 comments
Open

Clarify license for GPShell #81

jas4711 opened this issue Oct 6, 2023 · 20 comments

Comments

@jas4711
Copy link
Contributor

jas4711 commented Oct 6, 2023

The gpshell/src/gpshell.c says its license it GPL-v3+ but gpshell/LICENSE suggests it should be LGPL-v3+-with-OpenSSL-exception. Can you clarify this? Since GPL-v3+ may be incompatible with OpenSSL, it would be nice if gpshell/src/gpshell.c was modified to use LGPL-v3+-with-OpenSSL-exception.

@koh-osug
Copy link

koh-osug commented Oct 6, 2023

LGPL-v3+-with-OpenSSL-exception works for me. Is this the only file affected?

@jas4711
Copy link
Contributor Author

jas4711 commented Oct 7, 2023

Great!

I would suggest the following:

  • Modify gpshell/src/gpshell.c to use LGPLv3+-with-OpenSSL-exception
  • Modify ./helloworldapplet/src/main/java/net/sourceforge/globalplatform/jc/helloworld/HelloWorldApplet.java to use LGPLv3+-with-OpenSSL-exception (or just LGPLv3 since it is Java...)
  • Add one top-level file COPYING.LESSER with LGPLv3
  • Remove */COPYING, */COPYING.LESSER, */LICENSE, */LICENSE.OpenSSL
  • Update CMakeLists.txt to for added/removed files above
  • Remove ./globalplatform/cmake_modules/copyright.* (unless they are used somehow?)
  • Add a small statement in top-level README.md about license of entire package

I assume you have permission from any other license holders to do the re-licensing.

@jas4711
Copy link
Contributor Author

jas4711 commented Oct 7, 2023

Re-reading source code, I notice almost all *.c *.h files needs to be modified from LGPLv3+ to LGPLv3+-with-OpenSSL-exception too. For example see globalplatform/src/*.c and globalplatform/src/globalplatform/*.h.

But gpshell.c and HelloWorldApplet.java seems to be the only examples using GPLv3+ instead of LGPLv3+.

Btw, except for this licensing concern, the Debian packages should now be in good shape and I'm ready to do the upload into Debian proper once this issue is resolved. I could try to upload without resolving this, by merely letting debian/copyright reflect the somewhat inconsistent licensing information and see if the ftp-masters will object. Package files are available here (see the pipeline to download amd64 binaries built by CI/CD): https://salsa.debian.org/auth-team/globalplatform/

@kaoh
Copy link
Owner

kaoh commented Oct 7, 2023

I guess, I did it on purpose. These executables are only executed and not linked. I use the LGPL only for code which is linked.

@jas4711
Copy link
Contributor Author

jas4711 commented Oct 8, 2023

Sorry, I confused this issue by bringing up other aspects. Let's take a step back.

gpshell/LICENSE says:

/*  Copyright (c) 2012, Karsten Ohme
 *  This file is part of GPShell.
 *
 *  GPShell is free software: you can redistribute it and/or modify
 *  it under the terms of the GNU Lesser General Public License as published by
 *  the Free Software Foundation, either version 3 of the License, or
 *  (at your option) any later version.
 *
 *  GPShell is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with GPShell.  If not, see <http://www.gnu.org/licenses/>.
 *
 * In addition, as a special exception, the copyright holders give
 * permission to link the code of portions of this program with the
 * OpenSSL library under certain conditions as described in each
 * individual source file, and distribute linked combinations
 * including the two.
 * You must obey the GNU General Public License in all respects
 * for all of the code used other than OpenSSL.  If you modify
 * file(s) with this exception, you may extend this exception to your
 * version of the file(s), but you are not obligated to do so.  If you
 * do not wish to do so, delete this exception statement from your
 * version.  If you delete this exception statement from all source
 * files in the program, then also delete it here.
 */

That looks like LGPLv3+ and an OpenSSL exception added, but the OpenSSL exception says 'You must obey the GNU General Public License in all respects for all of the code used other than OpenSSL.' which clearly is different from LGPLv3+.

Then gpshell/src/gpshell.c says:

/**
 *  Copyright (c) 2013, Snit Mo, Karsten Ohme
 *
 *  This program is free software: you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation, either version 3 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program.  If not, see <http://www.gnu.org/licenses/>
 */

That is plain GPLv3+.

So what is the license of gpshell?

Debian requires careful summaries of license of the code and I don't know how to summarize the license on gpshell.c.

I can ignore gpshell/LICENSE, and only use the header in gpshell/src/gpshell.c which means it is GPLv3. But then my take is that the licensing is unclear, hence the request for clarification.

(The same question applies to files under globalplatform/ too but maybe it helps to take one thing at a time.)

@kaoh
Copy link
Owner

kaoh commented Oct 8, 2023

Then the c file should also be LGPLv3+ and an OpenSSL exception

@jas4711
Copy link
Contributor Author

jas4711 commented Oct 9, 2023

Then the c file should also be LGPLv3+ and an OpenSSL exception

Looking forward to a commit to fix it :)

Since gpshell is an application, and not linked, using GPLv3+-with-OpenSSL-exception is also an option, and more consistent with your other reply that only the linked source code was intended to be LGPLv3+-with-OpenSSL-exception.

GPLv3+ is also an option, since OpenSSL 3.0 has been re-licensed and is not GPL-incompatible.

I don't care what the license should be, but the license claims now are ambiguous.

@koh-osug
Copy link

I pushed an update to gpshell.c

@jas4711
Copy link
Contributor Author

jas4711 commented Oct 11, 2023

Thank you -- looks good! -- however gpshell/LICENSE still says 'GNU Lesser General Public License'. I guess that should be 'GNU General Public License'?

@kaoh
Copy link
Owner

kaoh commented Oct 11, 2023

updated this and also added copyrights to hello world and the parent dir.

@jas4711
Copy link
Contributor Author

jas4711 commented Oct 12, 2023

Thank you!

In globalplatform/ the LICENSE says LGPLv3+-with-OpenSSL-exception, but several of the src/*.{c,h} files do not have an OpenSSL exception. I think that should be clarified too?

Also in cryptoTest.c there is a spurious '0x' in the first line.

@koh-osug
Copy link

koh-osug commented Nov 7, 2023

Oh, this got lost. I have updated files where OpenSSL is used. In any other files this makes no sense.

@jas4711
Copy link
Contributor Author

jas4711 commented Nov 8, 2023

Thanks -- although I believe that since other files in src/*.{c,h} are linked together with OpenSSL the license exception is needed in all of them. Otherwise there is no permission to link together that code together with OpenSSL.

@koh-osug
Copy link

koh-osug commented Nov 8, 2023

OK, then there is more work to do.

@kaoh
Copy link
Owner

kaoh commented Dec 15, 2023

This is still an issue to be able to do a release?

@jas4711
Copy link
Contributor Author

jas4711 commented Dec 15, 2023

This is still an issue to be able to do a release?

A release would be really good! There is a bunch of things fixed already. If you could add OpenSSL exception to remaining globalplatform/src/ files that would close this issue (I think) but please prioritize a release over fixing this issue.

@kaoh
Copy link
Owner

kaoh commented Dec 19, 2023

I have tagged version 2.4.0. This is what you need? I will added Windows binaries in the next days. There is also an Author file, do you want to be included?

jas4711 added a commit to jas4711/globalplatform that referenced this issue Dec 19, 2023
Signed-off-by: Simon Josefsson <[email protected]>
@jas4711
Copy link
Contributor Author

jas4711 commented Dec 19, 2023

I have tagged version 2.4.0. This is what you need? I will added Windows binaries in the next days. There is also an Author file, do you want to be included?

Thank you! I have uploaded 2.4.0 to Debian. I opened #90 regarding the AUTHORS file.

kaoh added a commit that referenced this issue Dec 20, 2023
@jas4711
Copy link
Contributor Author

jas4711 commented Jul 4, 2024

Ping? I still think a couple of more files in globalplatform/src/ needs to add the OpenSSL exception. I now realize another approach to solve this is to say that OpenSSL v3+ is required, and earlier versions with the bad license is no longer supported. Not sure you want to go there though.

@koh-osug
Copy link

koh-osug commented Jul 4, 2024

This would be OK for me if then not all files have to be cluttered with text. What would be the approach? Just update the LICENSE files?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants