Convalesco

The Debian GNU/Linux OpenSSL bug showed how much a bad, can do an mistaken interference by a developer. The social benefits of the open source
development are plenty but there are dark sides too. Of course, many eyes are better than one. The vulnerability was exposed and the patch was
available soon after.

The famous OpenSSL Licence vs GPL issue was brought back. This OpenSSL licence is a bit tricky. It conflicts with GPL licence in an disturbing
manner. On the other hand, based on the number of applications that are based on the OpenSSL toolkit, some of them heavily it’s to imagine
life without an Open Secure Socket Layer. So here are the findings
of Marc McLoughlin on the issue, written back in 2004. I will post a snippets that drew my attention,
although you can read the entire mentioned post, it’s not big:

The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.

The above does or does not apply for OpenSSL? In a strict way it doesn’t, in a wider it does. Here is the Debian GNU/Linux board’s position on
the matter back in 2004:

Considering the fact how many packages use the openssl libs, I dont see a
problem in defining openssl a OS base package. Especially since it is
priority “standard” anyway.

The above is certainly true. The OpenSSL libraries are so deeply integrated that few programs could deal nowadays without them. There is, as always,
the open or if you want, opener way to go: GnuTLS. Bern Eckenfels also writes:

Since Debian adopted its current hardline position on the GPL+OpenSSL
licensing issue, I’ve noticed a dramatic decrease in the number of
things OpenSSL can do that cannot also be done with GPL- or
LGPL-compatible libraries, and I’ve also discovered that there were many
more LGPL crypto routines available than I had previously thought. One
of my packages was using OpenSSL, but only for DES and MD4; it was a
simple matter of a couple evenings’ work to integrate some equivalent
code from libmhash and libmcrypt. If you need any help finding LGPL
code that meets your needs, let me know.

The issue still exists, I don’t know if the GnuTLS libraries can be applied in every application using OpenSSL. Probably this can’t be. But for small projects
GnuTLS seems to be a much more valid option, as it avoids possible legal hassles in the future.