I’d like to make people aware of something my colleague Daf pointed out to me: one cannot use Python‘s SSL code (this also applies to other Python projects such as M2Crypto) in a GPL licensed application because it uses OpenSSL.
The problem resides in OpenSSL’s license which requires :
3. All advertising materials mentioning features or use of this software
must display the following acknowledgement:
“This product includes cryptographic software written by
Eric Young (firstname.lastname@example.org)”
The word ‘cryptographic’ can be left out if the routines from the library
being used are not cryptographic related .
and (because of its dual license)
3. All advertising materials mentioning features or use of this
software must display the following acknowledgment:
“This product includes software developed by the OpenSSL Project
for use in the OpenSSL Toolkit. (http://www.openssl.org/)”
This requirement as been marked as GPL incompatible. Therefore, any GPL application using it is in license violation. While the OpenSSL FAQ stipulates that you can use it with GPL applications, this opinion is not shared by everyone. This is a quite big unadvertised licensing problem.
Now, I am not a lawyer but I can point to some existing solutions to this problem:
- Fix Python to not use such a poisonous (to GPL) licensed library.
- Do not use Python’s SSL code and use other implementations such as python-gnutls. This solution less appealing as replacement libraries often don’t completely cover python’s API.
- Relicense your GPL application to “GNU GPL with the OpenSSL special
exemption.” (as wget did) and add mentions to OpenSSL in your advertising materials. This solution is sometimes hard to implement as you have to contact all past contributors.