[Bug 2097320] Re: Links against incompatibly licensed OpenSSL

brian m. carlson 2097320 at bugs.launchpad.net
Tue Apr 15 21:05:52 UTC 2025 

I think this should probably be closed.  The Debian bug has been closed,
and I think this is probably not worth fixing, as explained there.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to git in Ubuntu.
https://bugs.launchpad.net/bugs/2097320

Title:
  Links against incompatibly licensed OpenSSL

Status in git package in Ubuntu:
  New
Status in git package in Debian:
  New

Bug description:
  Git is licensed under the GNU General Public License, version 2.
  Included in Git is /usr/lib/git-core/git-remote-http, which is the
  backend which uses libcurl to perform HTTP-based operations.
  Unfortunately, as of plucky, that binary appears to be linked against
  OpenSSL, probably because OpenLDAP, on which libcurl depends, is
  linked against OpenSSL.

  OpenSSL is under the Apache License 2.0, which is, despite everyone's
  best intentions, not actually compatible with the GNU General Public
  License version 2, and thus the Git binary is not actually
  distributable.

  Note that Ubuntu cannot take advantage of the system library
  exception, the text of which is as follows:

    However, as a special exception, the source code distributed need not
    include anything that is normally distributed (in either source or
    binary form) with the major components (compiler, kernel, and so on)
    of the operating system on which the executable runs, unless that
    component itself accompanies the executable.

  Since Ubuntu distributes OpenSSL on the same mirror network and
  installation media as Git, OpenSSL accompanies the executable.

  I have not verified if other binaries or parts of Git are affected,
  but you may want to do so.  Assuming that my conjecture about OpenLDAP
  being the cause of this is correct, you may want to revert the change
  to OpenSSL there.

  Of course, if you can provide a version of OpenSSL that is also under
  the GNU General Public License version 2 or another license which is
  compatible with it, then that would also be satisfactory.  In that
  case, please reassign this package to the `openssl` source package to
  get the copyright file updated accordingly.

  Note that this doesn't yet appear in any released version of Ubuntu,
  but should be fixed before the next release.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/git/+bug/2097320/+subscriptions

More information about the foundations-bugs mailing list