In case you've missed it, Debian, and hence Ubuntu, in what seems to be a fit of purity, has decided it can't link psql against both libreadline and libssl, not due to any technical difficulty but due to a perceived license incompatibility. (This incompatibility has apparently escaped the notice of RedHat's lawyers.) Geeks make bad lawyers, and I have heard more malarkey on license and legal issues from geeks than on almost any other subject.
Anyway, their solution has been to link against the very poor substitute libedit and scrap use of libreadline. I predict that Postgres users en masse will refuse to use the new binaries. I certainly will. The one Ubuntu server I have to do with, the buildfarm web server, will not run the new binaries. If I need to have it upgraded I wll build the binaries myself if necessary.
Various suggestions have been made for remedying the situation: either fixing libedit or linking psql against GnuTLS instead of OpenSSL. Both of these amount to making a significant effort for no effective technological gain. Bleah. What a waste.
It could also make it so that the OpenSSL licence will be simplified and made explicitly compatible with GPL.<br />
Or push the PostgreSQL community into willing to setup a debian host repository where we would ship our own packages for all supported debian version and PostgreSQL versions. After all we don't have to pick one PG release per debian release, as the debian guys do.<br />
So while it's a burden, I'd be willing to believe it helps pushing things into a good direction after a while.
This is very disappointing to read and, to me, is troublesome because of the splintering of the upgrade paths going forward. I worry about having to deal with upgrades from the Debian/Ubuntu side seriously breaking those binaries on the other side since it would be nearly a no-brainer to discontinue using the politically-correct braindead binaries.<br />
As a recent convert to Ubuntu Linux (Server) because of the mostly rock-solid upgrades, I now take pause and will begin to consider yet another OS migration.<br />
Is my thinking over-the-top? Am I making more out of this than necessary?
I wouldn't worry about it too much. The custom built binaries that people are now building to replace the broken ones shipping with Squeeze have very minimal changes to them. Just flip a switch to adjust which libraries the program compiles and links against. RedHat users have already been in a position for years now where they need the PostgreSQL project's packaged versions instead of the official ones to get a reasonable feature set, so this isn't even a new class of problem to this community.
"Both of these amount to making a significant effort for no effective technological gain. Bleah. What a waste."<br />
Agreed! What a waste.<br />
Is it across-the-board that no GPL software will link against openssl (even dynamically)? Or were some other projects spared?
In order for GPL software to link to OpenSSL, it needs to provide a special exception for that project's weird license. There are many such license exceptions around. But you'll never get one in readline, since it's a GNU project. This sort of thing is exactly how they try to compel everyone to use standard free licenses.
What I find frustrating is that there has been zero legal advice request from Debian or the DPL to SPI which is the corp responsible for Debian.<br />
They very well may be right, but without a legal opinion from their attorney (of which they have two), it is all moot.<br />
Sigh... Geeks make ignorant lawyers (and business people)
The FSF consider the OpenSSL license to be incompatible with the GPL.<br />
I am not sure why Debian would require legal advice to follow the FSF's stance here and/or come to the same conclusion.<br />
In general, the Debian project so far has not asked for legal advice for copyright issues, only other (trademarks, export restrictions, etc.) and I don't see why it would need it now.<br />
If Red Hat and the PostgreSQL project think it is fine to distribute those binaries, it would be nice if they shared their legal opinion with the rest of the world.
I don't regard the FSF as a disinterested party, but on the contrary as a party of interest with a distinct interest to push. Debian's attitude might seem more reasonable to me had they not for many years happily published PostgreSQL binaries linked against both libreadline and openssl.<br />
Maybe the FSF is right and the licenses are incompatible, but it's damn late in the day to be starting to act on such a determination. All it does from my POV is to make it that much less likely that I will ever use Debian/Ubuntu if given a choice, or advise my clients ever to use them.
Being late should not be an excuse for not respecting the wishes of a copyright holder.<br />
It's an unfortunate situation, as libedit is clearly not on-par with libreadline, but it's not the first time that Debian ships a package with reduced functionality just to fully comply with the license of <strong>all</strong> the pieces involved.<br />
Maybe more communication between the downstream and upstream is what was needed, but for sure ignoring the libreadline license terms can't be the right solution.<br />
Any chance postgres will be ported to the more link-friendly gnutls library? <img src="/andrew/templates/default/img/emoticons/smile.png" alt=":-)" style="display: inline; vertical-align: bottom;" class="emoticon" />
Maybe. NSS is another possibility, and might seem preferable for several reasons, including the existence of an openssl compatibility library, and FIPS 140 certification. It's what Fedora is using for its crypto consolidation effort, and their reasoning seems persuasive to me.
Incidentally, in legal terms your first statement is not true. Possibly you didn't mean it as a legal argument, but if you did you're almost certainly wrong. Copyright law has a statute of limitations, at least in the USA, and some US courts have also held that untimely copyright claims can be barred by the doctrine of laches, although I'm not sure how good that authority still is. Nevertheless, I suspect we might have quite a good defense if ever the readline copyright holders decided to test it. <br />
What did I say about geeks and lawyers? (and yes, it applies to me too.)