OpenSSL in Python (move to variant?)

Wed Nov 23 02:46:20 PST 2011

On 2011-11-23 16:46 , Dan Ports wrote:
> On Tue, Nov 22, 2011 at 07:50:00PM -0600, Eric A. Borisch wrote:
>> OpenSSL's license negatively impacts the usefulness of the binary
>> distribution process within MacPorts. I propose moving openssl support
>> to a non-default variant within the pythonNN ports. This will permit
>> more of the packages that depend on python to be distributable through
>> binary packages.
> 
> Thanks for bringing this up. I've run up against this before, and I
> think this is an important issue. The python -> openssl dependency is a
> pretty common reason for ports to falsely fail the license check. (The
> most common, of course, is not having a license tag at all -- but we've
> made a lot of progress on that one recently!)

I'm not entirely sure it's a false failure. FSF's position is a little
bit complicated and to me seems to try to make distinctions that don't
exist in reality. They say an interpreted program is not a derivative
work of the interpreter it runs in, which includes any libraries it may
use. But then they say that "library bindings" that can be used by
interpreted code do make the interpreted code a derivative work of the
library it uses via the bindings.

The situation for code that uses e.g. hashlib, which is considered a
standard part of python, is thus vague. Even vaguer if it doesn't
directly use hashlib but uses some standard library code that uses hashlib.

> A similar issue is that both Python and perl depend on gdbm for one of
> their standard library modules. gdbm has a GPL-3+ license, so it
> conflicts with anything that's GPL-2 only.

For python, gdbm could and probably should be split out into a separate
port (again). I don't know if that's easily doable for perl, or how much
perl code relies on gdbm being available. The perl5.8 port actually has
it as a non-default variant.

> I'm not particularly thrilled by the idea of disabling openssl (or
> gdbm) from Python. I assume this means it's not going to build the ssl
> standard library module, and I think it could be pretty surprising for
> users if it suddenly disappeared from the port.

There used to be a separate py-hashlib port, but I'm pretty sure openssl
is used in more places than just hashlib.

> The way I'd prefer to deal with it is to have an option to skip the
> license check for a particular dependency (say,
> depends_skip_licensecheck).

Yeah, this is one of the mechanisms for specifying more precisely
how ports' licenses interact that I mentioned needing back in July. I
wouldn't phrase it in terms of skipping the license checking though, but
rather giving it more information.

- Josh