[clamav-users] Planned Addition Of OpenSSL Dependency

Scott Kitterman ubuntu at kitterman.com
Sun Mar 16 18:00:09 EDT 2014


On Saturday, March 15, 2014 17:17:09 Dennis Peterson wrote:
> On 3/12/14, 12:13:53PM, Scott Kitterman wrote:
> > http://www.clamav.net/lang/en/2014/02/22/introducing-openssl-as-a-dependen
> > cy-to-clamav/
> > 
> > I just noticed this.  I do the clamav packages for Debian/Ubuntu.  Adding
> > the dependency is fine from a technical perspective, but there is, at
> > least currently, a licensing concern.  The OpenSSL license is not GPL
> > compatible and the policy in Debian/Ubuntu is that OpenSSL is not covered
> > by the GPL system library exception.
> > 
> > There is a good discussion of it here:
> > 
> > https://people.gnome.org/~markmc/openssl-and-the-gpl.html
> > 
> > 
> > This is easy enough to fix.  Just make sure when you do the release that
> > adds the dependency, you also allow an exception to allow it to be linked
> > against
> > OpenSSL, despite it's license being GPL incompatible.  Something like:

> Some packagers already don't distribute ClamAV with RAR support for this
> reason. I'm one of them. I wonder if the Cisco/Snort/Clamav people know
> there's a limit to how far you can go with this before we drop the
> product and go with a commercial version. Tongue in cheek - I think that
> is the end game.

Debian/Ubuntu do not have RAR support built in.  The code for RAR checking is 
separately distributed through the associated non-free repositories.  That's 
less of a problem than GPL + OpenSSL without the exception.  Without the GPL 
exception, then the resulting binary isn't distributable (Based on our 
interpretation of the system library exception for the GPL).  As I understand 
it, Fedora has a different interpretation, so it might not disappear from all 
distros, but getting the exception included is essential for us.

Scott K



More information about the clamav-users mailing list