The annoying thing about GnuTLS is that it normally might not be very widely used, except that the Debian project initiated a huge push to make software linkable with GnuTLS instead of OpenSSL, because of issues with the OpenSSL license[1]. So if you're a Debian or Ubuntu user, you're probably relying on GnuTLS a lot more than users of any other distribution, or people who compile the upstream sources themselves. (Not that OpenSSL is a panacea, but at least it gets more attention than GnuTLS).
[1] The OpenSSL license is incompatible with the GPL, making it technically illegal to distribute binaries of GPL programs linked with OpenSSL (so Debian refuses to do so), unless the GPL program has an OpenSSL license exception.
I don't understand why NSS[1] isn't more highly regarded. It's the crypto library that both Chrome and Firefox use, and it has a comparatively good security record[2].
RedHat has misguidedly chosen to base all of its security infrastructure on NSS, even though NSS was never designed for such a use. It is completely inappropriate for servers, multi-user workstations, etc.
I have a feeling there are greater dependencies within GNOME distros and, as you said, Debian. Networkmanager is an especially annoying one because it uses NSS directly and gnuTLS indirectly.
While some usage comparison between GnuTLS and OpenSSL is good, it is important to remember that each project support different features. For example, OpenSSL do not support OpenPGP.
Actually, I don't think that's generally true if you're talking about the libs. A cursory glance at the output of `apt-cache rdepends libgnutls26` suggests that wget is the only relatively "popular" package depending on it.
However, some other distros such as Arch do not have wget depending on it, so you do have a point about Debian.
The irony of what's happening here, that dogmatism about a belief is causing an inferior solution to be used, is infuriating and one of the reasons people have such a problem with dogmatic personalities like rms. It's technically illegal to use a better solution because of something as relatively unimportant as a license. Think of it like a Maslov's hierarchy - having strong security is way more important to most people than having a proper copyleft license. But instead of being pragmatic, we're stuck with a ridiculously dogmatic solution that ends up harming way more than the ill it was trying to cure.
It reminds me a lot of environmentalists going crazy to ban nuclear power in the 70s before we had as clear a grasp on the impact of dumping carbon dioxide into the air.
> The irony of what's happening here, that dogmatism about a belief is causing an inferior solution to be used, is infuriating and one of the reasons people have such a problem with dogmatic personalities like rms. It's technically illegal to use a better solution because of something as relatively unimportant as a license.
Why do you jump to blame the GPL and rms, when one could just as easily fault the OpenSSL authors for using the 4-clause BSD instead of the far more common 3-clause?
> It's technically illegal to use a better solution because of something as relatively unimportant as a license.
No, it is technically illegal to distribute compiled binaries that use OpenSSL, because the OpenSSL authors wanted to retain the advertising privileges. But it is not illegal to use the software as long as it is distributed in source and compiled by the end user.
I would not call licensing unimportant. As long as software is copyrightable, licensing terms are highly important.
I believe the OpenSSL team uses the 4 clause BSD license because they rely on SSLeay, which uses the 4 clause license. And if they have to advertise the SSLeay name, they might as well advertise the OpenSSL name as well.
The thing is, relicensing isn't likely to happen any time soon, regardless of what RMS says.
To be precise, SSLeay was discontinued when its authors were hired by RSA. They're now under non-competes and couldn't change the license if they wanted to.
The reason the GPL is annoying is that free license with an advertizing clause have existed for a very long time and are actually widely used. A quick look at the about box of various software will usually show you a long list of mandatory acknowledgements for various open source licenses.
The problem is that the GPL willingly refuses to permit advertizing clauses. Is there a congent argument about why an advertizing clause is a limitation of freedom? The GPL is more often than other free licenses putting restirctions on usage of diversely licensed software. It is an impediment. And, as we see, it has real-world consequences. There is more risk for freedom using bad software security than wielding to innocuous clauses.
> The problem is that the GPL willingly refuses to permit advertizing clauses. Is there a congent argument about why an advertizing clause is a limitation of freedom
The advertising clause is not a limitation on freedom. The 4-clause BSD license is a free software license; it just happens not to be compatible with the GPL (not all free software licenses are).
The reasons for this are very practical: not only does it place additional restrictions on the software (which is not permitted by the GPL), but if multiple 4-clause BSD projects are used, each project requires its own separate advertising statement (the 4-clause license does not permit combining these into a single sentence): https://www.gnu.org/philosophy/bsd.html
> The reason the GPL is annoying is that free license with an advertizing clause have existed for a very long time and are actually widely used.
Most modern projects using permissive licenses use 3-clause BSD, MIT/X11, or Apache, all of which are compatible with the GPL. In this day and age, choosing a 4-clause BSD license is a fairly conscious decision to make the project incompatible with the GPL.
Choosing the 4-clause BSD license is a conscious decision to continue to receive credit for all your hard work, when a proprietary software company comes along and includes your code in their product. To me this is a fair compromise for proprietary companies who refuse to open up their source code (i.e., would never touch GPL at all).
As I mention in a reply to the sibling comment, I don't fault the developer for choosing a free software license that suits their purposes. I just don't think it's fair to blame the GPL for the incompatibility that happens when a developer chooses a 4-clause BSD license.
(Also, remember that the developer could always dual-license - ie, "GPL or 4-clause BSD - if you want to use my software in proprietary code, then you have to advertise me").
It's a fair compromise for anyone. Being credited for your own work isn't as evil as RMS thinks (arguably somewhat ironic as he wants the FSF to be credited with Linux).
Huh. This is the first licensing-related thread I've read on HN in months where someone said something I found interesting and informative before I gave up and stopped reading.
Thanks for your even-keeled comments here; helpful and refreshing.
> In this day and age, choosing a 4-clause BSD license is a fairly conscious decision to make the project incompatible with the GPL.
Complaining about this seems a bit strange, since GPL is deliberately incompatible with everything else when it comes to sharing. OpenSSL's license, although kooky, is freer than the GPL in terms of who can use the stuff covered by it.
For the record, I'm not complaining. I'm just saying that it's unfair to blame the incompatibility solely on the GPL (as OP seemed to be), when the developer is the one who chooses the license for their software. (And I presume the OpenSSL authors are experienced enough to be familiar with the compatibility differences between the 3-clause vs. 4-clause BSD license).
> OpenSSL's license, although kooky, is freer than the GPL in terms of who can use the stuff covered by it.
No, both are equally free. Both of them respect the four freedoms, so they are both free licenses.
(The 4-clause BSD is arguably more permissive, but on the other hand, the GPL permits one to advertise the software without any restrictions, so it really depends on which of those two one values more. Generally the copyleft clause is what people care about more than advertising, but it's important to note both).
> A quick look at the about box of various software will usually show you a long list of mandatory acknowledgements for various open source licenses.
You have mistaken what "advertizing clause" means. The GPL requires that the about box list the copyright holders, so that can't be the types of advertising at issue.
No, the complaint is about:
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
If you have software which uses OpenSSL, and to promote it you send out a tweet, then the license requires you to include the above two lines in the tweet.
In practice, a project might have 20 such advertising requirements. It gets boring.
An advertising clause can be used as a weapon. Suppose I distribute "free" software to you, but require you to include a 100 page manifesto every time you make an advertisement. Is that really "free"?
"If you have software which uses OpenSSL, and to promote it you send out a tweet, then the license requires you to include the above two lines in the tweet.
"
No.
If you have software that uses OpenSSL, and to promote it you send out a tweet that says "Use our product instead of our competitors, We use SSL to make things secure", then you must include the above two lines
For the clause to apply
1. It has to be an advertisement
2. It has to advertise the features that use openssl
hyc_symas gave essentially the same correction in a parallel post, a few minutes before you.
I pointed out that the edge cases are fuzzier than I would like. If my product is called "SecureTalk", and uses OpenSSL for secure connections, then it sounds like almost any mention of the name which might be advertising needs to include that line.
As in, "Secure Systems, the developers of the NSA-proof SecureTalk, are hiring."
Isn't that "mentioning features" of OpenSSL? If so, it needs that line. If not, why not? What does it mean to mention a feature? Can I get away with
"Secure Systems, the developers of SecureTalk, are hiring."
After all, the only reason it's secure is because it uses OpenSSL.
In this case we can consider this requirement to be a public service. Suggesting that someone believes that an app is secure because it uses OpenSSL is a somewhat common form of mockery in crypto circles. If you just announce that you are clueless about security then no one needs to bother looking at your website in the off chance that you aren't.
I didn't say it was secure "because it uses OpenSSL". I said the much more limited "and it uses OpenSSL for secure connections."
Copyright is sticky. The hypothetical "SecureTalk" program might only use 500 lines of OpenSSL, where that 500 lines was security audited by crypto experts, static code checkers, and formal program analysis, and run in a chroot'ed jail.
A clueful re-use of OpenSSL for secure connections still needs that advertising clause, even if the software really is more secure than anything else out there. In that case, the required advertisement is a false clue to experts, no?
I would say if you make the claim that the security is from more than just the use of OpenSSL then there would be no need to put in the OpenSSL notice when just talking generically about security. You might still need to if you specifically mention encrypted connections, say, if you are using OpenSSL to encrypt connections. The advertising clause can still be annoying, but I don't think it is quite as bad as you are making it out to be. At least when there is only one or two projects you are using that require them... I think the main reason they are less popular now is that it gets really awkward when you need pages and pages of advertisement clauses.
I also doubt that anything that uses OpenSSL as the primary crypto could possibly be "more secure than anything else out there". This isn't so much a slam of OpenSSL, which may overall be doing a better job of implementing TLS than anything else available right now (at least open source) but of TLS in general which is complex and not designed with current best practices. Using TLS is often an easy way to make things a lot more secure than they are without much effort and as such is often a good choice, but it is unlikely to result in the most secure thing possible. OTR is a well known alternative in chat that has a number of advantages (and some disadvantages too). Various others are under construction. Importantly, there are significant tradeoffs involved and it is often not a simple matter of X is more secure than Y.
Neither you nor I have the legal experience to really determine if there is no need. What constitutes an "advertisement"? If I am a security consultant and I develop a no-cost open source tool using OpenSSL, and I do it deliberately as a way to get my name out into the field and find clients, then is that advertising?
What constitutes "mentioning features of this software"? If I use another package for SSL and advertise that my software has SSL support, but have OpenSSL in my code for other reasons (let's say, the SHA-1 digest code), then do I need to mention OpenSSL? After all, SSL is a supposed feature of OpenSSL.
No, it's not as bad as I make it out to be, but that's in large part because we are generally lazy when it comes to the particulars of licenses. Just look at the number of GPLv2 software distributions which don't follow the letter of the license. (Section 3 assumes physical distribution, not network. GPLv3 clarified this problem.)
It's also because license holders are lazy. Enforcing the GPL takes a lot of time and effort. Many violations occur because few actively enforce the license.
If your expectations are based on what people do in a lazy world, then you are perhaps a realist (or a cynic), but it still violates the license.
The "pages and pages of advertisement clauses" affects only to those who actually follow the license. These might be nitpickers like me, or organizations with lots of money and who are easy pickings and worried about liability.
These also happen to be the people who are likely to give acknowledgements, especially when the license so requires it (as the GPL does).
Not quite. If you tweet and brag about SSL or crypto support, then you must credit OpenSSL. If you brag about something that is not a feature derived from/dependent on OpenSSL, then the clause is irrelevant.
If my project is "SecureTalk" with the tag line "the NSA will never know", and it's secure because of OpenSSL, then will I have to mention that text every time I use the word "SecureTalk" in a tweet/ advertisement?
What about "HushTalk"? "MumsTheWord"? "SafeBanking"?
If I add optional rot-13 encryption, so there are now two cryptosystems, then can I pretend that SecureTalk doesn't "really" require OpenSSL, so I don't need the advertising?
The problem is that the GPL willingly refuses to permit advertizing clauses. Is there a congent argument about why an advertizing clause is a limitation of freedom?
The GPL doesn't specifically set out to prevent advertising clauses. It is a side-effect of being incompatible with "other restrictions" - for example, a requirement that you license some third party software or patent in order to redistribute GPL-covered code. Instead of trying to specifically enumerate and disallow all such restrictions that someone might come up with, which is a fool's errand, the GPL disallows any other restrictions.
As a minor quibble, section 7 of GPLv3 allows a few other restrictions. That is, there's a general blacklist, as you say, with a specific whitelist of what additional restrictions are allowed.
For example, "b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it;"
Well, GPL is far from the most free license anyway (that would probably be the WTFPL, MIT license, or 2-clause BSD license). GPL is arguably a restrictive license, albeit not one that seeks to prevent copying.
Where is the irony? Even if I substitute Alanis Morissette's definition for the dictionary definition I can not identify any irony. Technical superiority was never the primary goal of the Free Software Movement.
I also don't understand the environmental anecdote. That seems less about dogma and more about imperfect scientific knowledge. Were the environmentalists opposing nuclear energy on principle or because at the time the evidence made nuclear power look unsafe and detrimental to the health of the environment?
It's not dogmatism. Debian just a conservative interpretation of the law the conditions of the GPL. It's fair to point out that Debian's interpretation doesn't seem to be very widely held outside the project, but believing "we should obey the law" doesn't count as dogmatism.
I had the same response. Whenever I see "irony/ironic" I make a conscientious effort to not use the dictionary definition and give the author a lot of semantic leeway. After I read the comment for the third time I still could not identify any irony.
I think the real lesson here is not to write your own license but to use well-known ones. There are lots of permissive licenses that are also compatible with the GPL.
4-clause BSD is actually the original BSD license, even though it's not very common nowadays. According to wikipedia, it was first used in 1990 or before, so roundabout the same time as the GPL v1 (1989). It's certainly not self-written.
Why aren't post such as parent comment simply killed by the moderators?
There are a BSD vs GPL discussion about once every week on HN. Out of those several hundred threads and thousands comments, has a single users been convinced about the preference of either license type? Has a single person said "o, sorry, I will now change my opinion and use your license of choice because your arguments is so good".
Hate or love RMS, but can you keep it in your pants and do it elsewhere?
The irony is actually that GnuTLS is panned for 'not doing it right' in the article, and here you are panning Debian for 'doing it right' when it comes to licensing. Debian is following licenses as they should be followed and not cutting corners.
[1] The OpenSSL license is incompatible with the GPL, making it technically illegal to distribute binaries of GPL programs linked with OpenSSL (so Debian refuses to do so), unless the GPL program has an OpenSSL license exception.