[Openvpn-devel,v2] Add warning about mbed TLS licensing problem

Message ID 20220216140457.6651-1-maximilian.fillinger@foxcrypto.com
State Superseded
Headers show
Series [Openvpn-devel,v2] Add warning about mbed TLS licensing problem | expand

Commit Message

Maximilian Fillinger Feb. 16, 2022, 3:04 a.m. UTC
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
---
 README.mbedtls | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

Comments

Frank Lichtenheld Feb. 16, 2022, 5:51 a.m. UTC | #1
> Max Fillinger <maximilian.fillinger@foxcrypto.com> hat am 16.02.2022 15:04 geschrieben:
> 
>  
> Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
> ---
>  README.mbedtls | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)

Might be good to also add a note in the "Deprecated Features" section of Changes.rst?
Just to increase visibility.

Regards,
--
Frank Lichtenheld
Gert Doering Feb. 20, 2022, 3:06 a.m. UTC | #2
Hi,

On Wed, Feb 16, 2022 at 05:51:02PM +0100, Frank Lichtenheld wrote:
> > Max Fillinger <maximilian.fillinger@foxcrypto.com> hat am 16.02.2022 15:04 geschrieben:
> > 
> > Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
> > ---
> >  README.mbedtls | 17 +++++++++++++++++
> >  1 file changed, 17 insertions(+)
> 
> Might be good to also add a note in the "Deprecated Features" section of Changes.rst?
> Just to increase visibility.

For v3, we've decided that we just mention the problem, but do not
state a formal depreciation date - the license issue is still under
debate, I've been told, so maybe we can continue to support mbedTLS.

We'll see... and 2.7 is quite some time away.

gert

Patch

diff --git a/README.mbedtls b/README.mbedtls
index 4875822d..062ae470 100644
--- a/README.mbedtls
+++ b/README.mbedtls
@@ -11,6 +11,23 @@  This version depends on mbed TLS 2.0 (and requires at least 2.0.0).
 
 *************************************************************************
 
+Warning:
+
+As of version 2.17, mbed TLS can be licensed *only* under the Apache v2.0
+license. That license is incompatible with OpenVPN's GPLv2.
+
+If you wish to distribute OpenVPN linked with mbed TLS, there are two options:
+
+ * Ensure that your case falls under the system library exception in GPLv2, or
+
+ * Use an earlier version of mbed TLS. Version 2.16.12 is the last release
+   that may be licensed under GPLv2. Unfortunately, this version is
+   unsupported and won't receive any more updates.
+
+Support for mbed TLS is likely to be removed in OpenVPN 2.7.
+
+*************************************************************************
+
 Due to limitations in the mbed TLS library, the following features are missing
 in the mbed TLS version of OpenVPN: