Latest update to security/stunnel removes libressl support

[Wapcaplet]

The latest commit/upgrade to security/stunnel removes the patches that allow the port to build with security/libressl:

https://svnweb.freebsd.org/ports?view=revision&revision=424369

Does this mean we're on our own to patch stunnel to support libressl? Why can't the port still include the patches even if upstream refuses to support them?

 

[marino]

I asked zi@ to answer it. As the person that committed those patches, I'd like to know myself.

 

[marino]

It might be answered here, sort of: https://www.stunnel.org/pipermail/stunnel-users/2015-March/004990.html

GPL 2.0 section 3 allows stunnel to be linked against
GPL-incompatible libraries included with the operating system.
This is the case for LibreSSL on the FreeBSD operating system.

Nevertheless, I don't support LibreSSL nor extend the OpenSSL GPL
exception to allow distributing stunnel linked against LibreSSL for
other operating systems.

Mike

 

[marino]

it's weird, it sounds like Mike approves it on FreeBSD but not others. The reasoning for either is unclear to me.
It also sounds like the port could be set to NO_PACKAGE MANUAL_PACKAGE if libressl is detected so people can build it themselves (which avoids distribution)

 

[tobik@]

I'm reminded of this old article from Ted Unangst about stunnel and LibreSSL: http://www.tedunangst.com/flak/post/the-peculiar-libretunnel-situation

 

[marino]

yep, I just came back to post that. weird.

 

[marino]

so 2 more thoughts:

1. DragonFly, TrueOS, and HardenBSD are a different case than FreeBSD, because the former provide libressl as part of the OS, so it's covered by GPL already and I don't think stunnel author can subvert that
2. stunnel author apparently has a beef with libressl and is intentionally trying to block its adoption

sounds like its time to find a new tunnel program

 

[Wapcaplet]

I'd love to find another secure tunnel program that meets my use case (tunneling SMB without maintaining a constant connection between client and server), given how obstinate the developer is. Does such a thing exist? I previously tunneled an SMB connection over SSH, but that required a constant SSH connection.

In any event, I'm still not convinced that the license actually lets the developer legally do what he wants to do.

 

[marino]

you shouldn't be.
The stunnel license covers modified OpenSSL if the license is unchanged. Isn't LibreSSL just a modified OpenSSL with the same license? If so, there's no problem for *any* OS.
Secondly, I think "distribution" is a key word. There should be no legal problem with manually building as long as the resulting package is not distributed (against assuming the first bullet isn't in effect)

I think this guy just shot off his mouth without thinking, and now feels compelled to dig in his heels so he doesn't have to admit he's wrong.

 

[Wapcaplet]

You're right -- LibreSSL is released under the OpenSSL license. I erroneously thought it had been relicensed somehow. And the official FreeBSD stunnel package links to OpenSSL, so there's no distribution of a LibreSSL-linked version.

So the patches should be recommitted.

 

[marino]

yeah, I think zi@ should reconsider based on what's been said and revealed here. You have a good point that the patches don't hurt the baseline openssl build, they just enable the build for people that specify libressl optionally or the 3 OSs that have libressl in base (which is already covered by GPL system library exception and thus exempt already)

 

[kpa]

The developer would be on very shaky ground if someone challenged the case and took it to a court, he is basically saying that he can by his whim re-interpret and re-write the licensing conditions he originally chose for his software. That's not going to fly very far.

That challenge is not going to come from FreeBSD though, the Foundation and the Project try to avoid legal confrontations at all cost.

Ironically, the GPL offers too much "freedom" now

 

[Wapcaplet]

Any updates on this? I was holding off on patching the port locally in the hope that this would be fixed.