Mongodb links GPL code with SSL

Bug #1175028 reported by Scott Kitterman on 2013-05-01
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
libmongodb-perl (Ubuntu)
Undecided
Unassigned
Raring
Undecided
Unassigned
Saucy
Undecided
Unassigned
mongodb (Ubuntu)
Critical
Ubuntu Technical Board
Raring
Critical
Ubuntu Technical Board
Saucy
Critical
Ubuntu Technical Board

Bug Description

As it is, the package is either undistributable or a non-free work per the Ubuntu Licensing Policy in raring and saucy:

http://people.canonical.com/~cjwatson/ubuntu-policy/policy.html/ch-archive.html#s-ulp

The lack a clarity is based on report on the Ubuntu Server mailing list that there is an Ubuntu specific SSL exception granted by the copyright holders:

https://lists.ubuntu.com/archives/ubuntu-server/2013-April/006566.html

This is not documented in the package anywhere. If there is an exception, then the package is distributable, but non-free due to failing the 'Must not be distributed under a license specific to Ubuntu' test.

I'm filing a bug rather than taking direct action because (as discussed in the email thread), Daviey believes that OPENSSL is covered by the GPL system libreary exemption and so there is no issue (I'm left to wonder why anyone bothered to ask for an Ubuntu specific exception to link with OPENSSL if it wasn't needed, but I digress ...).

https://lists.ubuntu.com/archives/ubuntu-server/2013-April/006570.html

So rather than take direct action, I think it prudent to make a bug and assign it to ~ubuntu-archive to sort out.

Changed in mongodb (Ubuntu):
importance: Undecided → Critical
milestone: none → ubuntu-13.04-month-5
milestone: ubuntu-13.04-month-5 → ubuntu-13.05
Changed in mongodb (Ubuntu Raring):
milestone: none → raring-updates
importance: Undecided → Critical
assignee: nobody → Ubuntu Package Archive Administrators (ubuntu-archive)
Changed in mongodb (Ubuntu Saucy):
assignee: nobody → Ubuntu Package Archive Administrators (ubuntu-archive)
Scott Kitterman (kitterman) wrote :

Reassigning since this has been raised to the TB now:

https://lists.ubuntu.com/archives/technical-board/2013-May/001601.html

Changed in mongodb (Ubuntu Raring):
assignee: Ubuntu Package Archive Administrators (ubuntu-archive) → Ubuntu Technical Board (techboard)
Changed in mongodb (Ubuntu Saucy):
assignee: Ubuntu Package Archive Administrators (ubuntu-archive) → Ubuntu Technical Board (techboard)
James Page (james-page) wrote :

I'm working with 10gen upstream to get the OpenSSL linking exception written into the License for MongoDB. They want to get this sorted out so all distributions can enable SSL support without the license ambiguity that we currently have.

James Page (james-page) wrote :

I'd like to clarify the process under which I enabled the SSL support in the MongoDB package; this feels like a suitable place todo that.

SSL support was requested by a number of people in the MongoDB package; specifically to support certain security related features for juju-core.

My initial stance was that this was not possible due to the know incompatibility between OpenSSL and GPL licenses - I discussed this with the Debian maintainer and we agreed; so I approached the copyright holder (10gen) for clarification on their position as to linking OpenSSL with MongoDB; their initial response was the they thought this was OK as OpenSSL is shipped with the distro so this fell under the 'system libraries' clause in GPL licensing.

I was uncomfortable as this is a grey area for the distro, so I requested a license exception be documented as part of MongoDB.

10gen clarified their position to me again in a formal letter rather than a documented License exception; I discussed with an archive admin and internal Canonical legal counsel and the opinion was that this was sufficient to enable this feature in Ubuntu. I agree this should have been documented in the package; this was my oversight.

At no point did I request a Ubuntu specific license exception.

As commented in #2 I'm working with 10gen to get this documented as a license exception in the MongoDB package itself as this appears to be the clearest path to resolving this issue.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in mongodb (Ubuntu Raring):
status: New → Confirmed
Changed in mongodb (Ubuntu):
status: New → Confirmed
Changed in mongodb (Ubuntu Saucy):
milestone: ubuntu-13.05 → ubuntu-13.06

For posterity, today the Ubuntu TB reviewed the question of if openssl counted
as a system library per the GPL or if a specific GPL exception for openssl
linking was required. They concluded that it is required for both GPL v2 and
GPL v3:

http://ubottu.com/meetingology/logs/ubuntu-meeting/2013/ubuntu-meeting.2013-07-08-19.58.moin.txt

DJ (davidrjamison) on 2013-07-20
Changed in mongodb (Ubuntu Saucy):
status: Confirmed → Fix Released
Changed in mongodb (Ubuntu Raring):
status: Confirmed → Fix Committed
Scott Kitterman (kitterman) wrote :

On what basis do you mark this fix released?

Scott Kitterman (kitterman) wrote :

I'm going to assume that was accidental.

Changed in mongodb (Ubuntu Saucy):
status: Fix Released → Fix Committed
evi brosda (evibrosda) on 2013-08-11
Changed in mongodb (Ubuntu Saucy):
status: Fix Committed → Fix Released
Changed in mongodb (Ubuntu Saucy):
status: Fix Released → Fix Committed
James Page (james-page) wrote :

I've chased upstream on this issue again; the appropriate exceptions should be in the right headers for the next release of the 2.5.x series which is scheduled for the 5th September.

Dimitri John Ledkov (xnox) wrote :

Fix committed in upstream repository:
https://github.com/mongodb/mongo/commit/ab0a0a92a1cc056e841dbcdac94c2f181ce29d2b

+ *
+ * As a special exception, the copyright holders give permission to link the
+ * code of portions of this program with the OpenSSL library under certain
+ * conditions as described in each individual source file and distribute
+ * linked combinations including the program with the OpenSSL library. You
+ * must comply with the GNU Affero General Public License in all respects
+ * for all of the code used other than as permitted herein. If you modify
+ * file(s) with this exception, you may extend this exception to your
+ * version of the file(s), but you are not obligated to do so. If you do not
+ * wish to do so, delete this exception statement from your version. If you
+ * delete this exception statement from all source files in the program,
+ * then also delete it here.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package mongodb - 1:2.4.6-0ubuntu4

---------------
mongodb (1:2.4.6-0ubuntu4) saucy; urgency=low

  * d/copyright: Add details of MongoDB AGPL+OpenSSL license exception
    to support continued use of MongoDB with SSL support enabled
    (LP: #1175028).
 -- James Page <email address hidden> Thu, 29 Aug 2013 12:33:32 +0100

Changed in mongodb (Ubuntu Saucy):
status: Fix Committed → Fix Released
Changed in mongodb (Ubuntu Raring):
status: Fix Committed → New
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in mongodb (Ubuntu Raring):
status: New → Confirmed
Changed in mongodb (Ubuntu Raring):
status: Confirmed → Incomplete
status: Incomplete → Confirmed
Changed in libmongodb-perl (Ubuntu Raring):
status: New → Confirmed
Changed in libmongodb-perl (Ubuntu Saucy):
status: New → Confirmed
Changed in libmongodb-perl (Ubuntu):
status: New → Confirmed
Rolf Leggewie (r0lf) wrote :

raring has seen the end of its life and is no longer receiving any updates. Marking the raring task for this ticket as "Won't Fix".

Changed in mongodb (Ubuntu Raring):
status: Confirmed → Won't Fix
Rolf Leggewie (r0lf) on 2014-12-05
Changed in libmongodb-perl (Ubuntu Raring):
status: Confirmed → Won't Fix
Rolf Leggewie (r0lf) wrote :

saucy has seen the end of its life and is no longer receiving any updates. Marking the saucy task for this ticket as "Won't Fix".

Changed in libmongodb-perl (Ubuntu Saucy):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Related blueprints