Bug #6924 MySQL linked against OpenSSL allowed for Distributers?
Submitted: 1 Dec 2004 20:06 Modified: 4 Aug 2005 22:37
Reporter: Christian Hammers (Silver Quality Contributor) (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:Licensing Severity:S4 (Feature request)
Version:all OS:Any (all)
Assigned to: CPU Architecture:Any
Triage: D5 (Feature request)

[1 Dec 2004 20:06] Christian Hammers
Description:
(As reported as Debian bug report to me:)

Many authors link their GPL software against libmysqlclient which in turn is linked against OpenSSL. Although MySQL has no longer problems with OpenSSL's licence, the 3rd party software does have as many authors just don't realize that they create a dependency to OpenSSL just by linking against MySQL. Or, even if they see it, they might not know that OpenSSL, which sounds "free and well-known", is not GPL compatible.

This could be avoided by switching to GNU TLS which is aimed to be a compatible replacement for OpenSSL but licenced more GPL friendly.

This is may be considered a 5.0 wishlist report.

bye,

-christian-

How to repeat:
-

Suggested fix:
-
[1 Dec 2004 21:29] Timothy Smith
Christian,

At the moment, we've discontinued OpenSSL support in all of our binaries.  Of course you can still build with SSL from the source, but we don't build our binaries with SSL.

So if yo use current binaries, there isn't a problem with linking 3rd party programs against libmysqlclient.

We would like to be able to release binaries with SSL support, and are investigating different options for that.  I'm told that building with yassl is possible right now, so this may be an option for you, depending on how you're using MySQL, etc.

Regards,

Tiimothy
[1 Dec 2004 22:29] Christian Hammers
Why do you no longer build binaries with SSL? I package mysql for Debian Linux and would be interested if there are good reasons not to enable it by default.
[2 Dec 2004 17:27] Timothy Smith
Hi, Christian.

It's due to unclear license issues.  Basically, we'd be OK distributing OpenSSL-enabled binaries, but anyone who redistributed them would probably be violating the license.  Our licence doesn't have a clear exclusion that handles OpenSSL.

I'm doing a bit of parroting here, since I'm not directly involved with making these decisions.  I can tell you for sure that it's due to legal, not technical, reasons.

We've got it on our TODO to create a workable solution to this SSL mess, but so far it hasn't worked out.

By the way, thanks a LOT for packaging MySQL for debian.  It's a job that doesn't get enough credit, and yet we really do appreciate all the people who make packages for various distros.

Kind regards,

Timothy
[2 Dec 2004 18:01] Christian Hammers
> It's due to unclear license issues.  Basically, we'd be OK distributing
> OpenSSL-enabled binaries, but anyone who redistributed them would
> probably be violating the license.  Our licence doesn't have a clear
> exclusion that handles OpenSSL.

That sounds like it would be problematic for the Debian Project as well?! Could you ask
your legal guys for details?

As far as I understand its basically:

Problem#1: You use other GPL code (readline etc) inside the MySQL code by using the GPL which only mandates that the result is also GPL. But by linking against OpenSSL the
result is no longer GPL and thus you're violating your own licence. Your GPL code and
all the foreign code you use would need a permission to link against OpenSSL.

Problem#2: Even if the result finally is GPL kompatibel a user who writes GPL software
himself and then want's to distribute it might not be aware of the fact that he uses
components (MySQL) that forces him to grant an extra permission, too, if he does not
want to violiate his license himself.

If that's right, I would have to drop OpenSSL immediately as Problem#1 prevents me
from even buiding it, or?

thanks,

-christian-
[2 Dec 2004 19:58] Brian Aker
Hi Christian,

I would suggest looking at http://yassl.com, we know its license is fine for us, and it should be 
fine for any GPL product. The test so far has been fairly limited though, so I can not offer any 
guarantees about how well it functions.
[2 Dec 2004 19:59] Brian Aker
And, you are probably right about the openssl license, but since I am not a lawyer, I can only 
offer you my opinion.

Your best bet is to always ask the FSF directly.

  -Brian
[11 Feb 2005 2:31] Arjen Lentz
Linking with the client library is covered by the FLOSS exception which includes OpenSSL now. So that's clean. Indeed, the OpenSSL is not compliant with the FSF free software guidelines, however it *is* compliant with the OSI guidelines. And that's good enough for us.
Christian is correct in saying that the author of a GPL app that links with MySQL may find themselves in a licensing headache (or may not realize that OpenSSL is involved) but that is their responsibility.
The MySQL client can be linked with a number of other licenses, it would not be feasible for MySQL to take over the responsibility for "the next level" of how combinations of licenses work out. There are too many possibilities, and combinations of more just 2 licenses.
[4 Aug 2005 22:37] Jim Winstead
Closing for Arjen.
[30 Mar 2006 23:02] James Day
As of version 5.0.20 MySQL anticipates releasing its own binaries with yaSSL included by default. It's possible that a few platforms may not have yaSSL support in this first yaSSL release; work on getting it in all is ongoing.