Thanks, so only GPL v3/v2+ is compatible, not GPL v2 only. I missed that
nuance.

https://gplv3.fsf.org/wiki/index.php/Compatible_licenses#GPLv2-incompatible_licenses

I see the following with "libtree -vvv" (output trimmed by hand to just
the paths to libcrypto or libssl):

/usr/lib/git-core/git-remote-https
├── libcurl-gnutls.so.4 [ld.so.conf]
│ ├── libldap.so.2 [ld.so.conf]
│ │ ├── libcrypto.so.3 [ld.so.conf]
│ │ ├── libssl.so.3 [ld.so.conf]
│ │ └── libsasl2.so.2 [ld.so.conf]
│ │ ├── libcrypto.so.3 [ld.so.conf]
│ ├── libssh2.so.1 [ld.so.conf]
│ │ ├── libcrypto.so.3 [ld.so.conf]

Chris> brian m. carlson (one of the git upstream copyright holders)
Chris> claims in Bug #1094969 that git cannot be distributed when
Chris> linked with OpenSSL. IIRC the Debian position is to use the
Chris> system library exception.


TL;DR: I think that an individual upstream copyright holder's
interpretation should be given less rather than more weight in
interpreting a license.
I think that Debian should adopt a project-wide interpretation of the
system library exception and apply it inconsistently. Allowing the
exception to be interpreted differently on different packages harms our
users and the free software community.

here is a longer proposal on how I would recommend approaching an issue
like this:

1) Debian maintainers have a lot of flexibility. If the Git maintainers

Chris> brian m. carlson (one of the git upstream copyright holders)
Chris> claims in Bug #1094969 that git cannot be distributed when
Chris> linked with OpenSSL. IIRC the Debian position is to use the
Chris> system library exception.

[This was prematurely sent]

TL;DR: I think that an individual upstream copyright holder's
interpretation should be given less rather than more weight in
interpreting a license.
I think that Debian should adopt a project-wide interpretation of the
system library exception and apply it inconsistently. Allowing the
exception to be interpreted differently on different packages harms our
users and the free software community.

here is a longer proposal on how I would recommend approaching an issue
like this:

1) Debian maintainers have a lot of flexibility. If the Git maintainers
wish to change what they link with, they have that flexibility. I view
this more as "Upstream asked us to ship the software differently and we
decided to disagree." I do not think an NMU has this level of preference.


2) The people involved need to be comfortable with their legal
liability. If Debian were a legal entity this would be easy: we would
ask for legal review and make a decision after receiving it. Such a
decision would typically be made at a fairly high level as to whether a
particular issue posed unacceptable legal risk. To the extent that any
party is concerned about their legal liability, please discuss in
private--probably by first reaching out to the DPL and asking how to
engage with lawyers. Do not discuss the specifics of the situation
except in private mail (not copying a bug) with the lawyers.

3) Generally, copyright holders trying to interpret a license after the
fact should be given less weight rather than more. After all the
copyright holder could have chosen a different license or published a
clarification along with their release. Clearly if it turns out that
the system library exception does apply in this situation, but Git wants
it not to for git-remote-https, then effectly they copyright holders
would be creating a fork of GPL-2 (gpl-2-restrictive-system-library)
that is GPL 2 incompatible.
Allowing copyright holders to do that after the fact--especially when
they selectivly try to enforce that interpretation against some parties
but not others--serves the community poorly.


4) We should interpret the system library exception consistently. If we
believe it allows us to link with openssl, we should stick to that
position.
I think it is cleare that software freedom and our users are served by
letting free software link with Openssl. (I understand some parties
argue that the consequences of interpreting the system library exception
in a manner that permits that linking are worse than the consequences
of avoiding GPL-2 OpenSSL combinations.)
However our position does generally seem to be that we interpret the
system library exception as allowing that linking.
If our interpretation is challenged, we should respond the same way we
would to any other legal challenge to software freedom.
We should seek out people who have aligned interests and try and find
common cause. In this instance I'd definitely suggest the DPL reach out
to Canonical and Redhat.

5) If a license is being interpreted in a manner that discriminates
against Linux distributions--it allows everyone but Linux distributions
to distribute some combination--I think that license discriminates
against a kind of use/field of endeavor. In other words, such a license
would not be DFSG free.

--Sam

Agreed, this is often a challenge when technical people discuss legal
matters, and it helps to keep this in mind.
My experience with lawyers is that circumstances, expectations and
intentions are more relevant than damages. Damages are more relevant
when assessing compensation, not when deciding who is right.

If someone has a claim to something and reasonable can expect certain
things in a situation, and that is violated, there is a legal case even
if you can make a technical argument that the person is wrong citing
various paragraphs in return. This is often frustrating for technical
people, feeling they are "right" and that circumstances doesn't matter.
I don't think that is a good position to be in. I believe it would be
better to work with rights holders to work out problems rather than to
ignore requests and throw legal arguments at them.

/Simon

Hi,
[...]
No, that is not the core problem. Debian, like most other binary
distributions, heavily relies on the system library exception in many,
many places. OpenSSL is just one instance, but there is also, for
example, libstdc++ which are not available under GPL-2-compatible
terms.

Note that GPL-2 says the following:

+---
| For an executable work, complete source
| code means all the source code for all modules it contains, plus any
| associated interface definition files, plus the scripts used to
| control compilation and installation of the executable.
+---

Now parts of build scripts of packages that curl depends on are GPL-3-
or-later, for example:

- libnghttp2-14: m4/ax_python_devel.m4
- libnghttp3-9: config.guess, config.sub
- libc6: scripts/config.guess, scripts/config.sub
- curl itself: config.guess, config.sub

So these libraries cannot be distributed under GPL-2 unless someone
changes the build system. (Note that common exceptions only apply for
proprietary licenses, but don't allow to fulfill the GPL-2
requirements.)

(As an observation: GnuTLS is also not distributable under GPL-2-
compatible terms as "[...], build system, [...] are licenced under the
GNU General Public License version 3+". So using it instead of OpenSSL
would not work either.)

Header files, linker scripts, ... from GCC might also fall under this
if the exception for compilers is not valid. Arguably GNU make too as
it "control[s] compilation and installation of the executable". So Git
would need to use a different compiler and make implementation. One can
continue with the rest of the operating system like shells.

All distributions thus rely on the system library exception to be able
to distribute most GPL-2-only[1] or GPL-3-only[2] code at all...

As Git doesn't seem any different, I think we should close this bug.

If we think the system library exception is not valid, then we probably
have to remove lots of software and switch core libraries (e.g., use
clang, libc++ instead of gcc).

Ansgar

[1]: Even ignoring fun things like build scripts due to libstdc++ and
similar.
[2]: GPL-3 has the same problems, just in the other direction. Consider
for example /usr/include/linux/*.h which gets indirectly included in
many places.