summaryrefslogtreecommitdiff
path: root/docs/LICENSE-MIXING
blob: 3db1a3d7f171d24fe6f9f656a2630b1a095dc89e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
         License Mixing with apps, libcurl and Third Party Libraries
         ===========================================================

libcurl can be built to use a fair amount of various third party libraries,
libraries that are written and provided by other parties that are distributed
using their own licenses. Even libcurl itself contains code that may cause
problems to some. This document attempts to describe what licenses libcurl and
the other libraries use and what possible dilemmas linking and mixing them all
can lead to for end users.

I am not a lawyer and this is not legal advice!

One common dilemma is that GPL[1]-licensed code is not allowed to be linked
with code licensed under the Original BSD license (with the announcement
clause). You may still build your own copies that use them all, but
distributing them as binaries would be to violate the GPL license - unless you
accompany your license with an exception[2]. This particular problem was
addressed when the Modified BSD license was created, which does not have the
announcement clause that collides with GPL.

libcurl http://curl.haxx.se/docs/copyright.html

        Uses an MIT (or Modified BSD)-style license that is as liberal as
        possible.  Some of the source files that deal with KRB4 have Original
        BSD-style announce-clause licenses. You may not distribute binaries
        with krb4-enabled libcurl that also link with GPL-licensed code!

OpenSSL http://www.openssl.org/source/license.html

        (May be used for SSL/TLS support) Uses an Original BSD-style license
        with an announcement clause that makes it "incompatible" with GPL. You
        are not allowed to ship binaries that link with OpenSSL that includes
        GPL code (unless that specific GPL code includes an exception for
        OpenSSL - a habit that is growing more and more common). If OpenSSL's
        licensing is a problem for you, consider using GnuTLS or yassl
        instead.

GnuTLS  http://www.gnutls.org/

        (May be used for SSL/TLS support) Uses the LGPL[3] license. If this is
        a problem for you, consider using OpenSSL instead. Also note that
        GnuTLS itself depends on and uses other libs (libgcrypt and
        libgpg-error) and they too are LGPL- or GPL-licensed.

yassl   http://www.yassl.com/

        (May be used for SSL/TLS support) Uses the GPL[1] license. If this is
        a problem for you, consider using OpenSSL or GnuTLS instead.

NSS     http://www.mozilla.org/projects/security/pki/nss/

        (May be used for SSL/TLS support) Is covered by the MPL[4] license,
        the GPL[1] license and the LGPL[3] license. You may choose to license
        the code under MPL terms, GPL terms, or LGPL terms. These licenses
        grant you different permissions and impose different obligations. You
        should select the license that best meets your needs.

c-ares  http://daniel.haxx.se/projects/c-ares/license.html

        (Used for asynchronous name resolves) Uses an MIT license that is very
        liberal and imposes no restrictions on any other library or part you
        may link with.

zlib    http://www.gzip.org/zlib/zlib_license.html

        (Used for compressed Transfer-Encoding support) Uses an MIT-style
        license that shouldn't collide with any other library.

krb4

        While nothing in particular says that a Kerberos4 library must use any
        particular license, the one I've tried and used successfully so far
        (kth-krb4) is partly Original BSD-licensed with the announcement
        clause. Some of the code in libcurl that is written to deal with
        Kerberos4 is Modified BSD-licensed.

MIT Kerberos http://web.mit.edu/kerberos/www/dist/

        (May be used for GSS support) MIT licensed, that shouldn't collide
        with any other parts.

Heimdal http://www.pdc.kth.se/heimdal/

        (May be used for GSS support) Heimdal is Original BSD licensed with
        the announcement clause.

GNU GSS http://www.gnu.org/software/gss/

        (May be used for GSS support) GNU GSS is GPL licensed. Note that you
        may not distribute binary curl packages that uses this if you build
        curl to also link and use any Original BSD licensed libraries!

fbopenssl

        (Used for SPNEGO support) Unclear license. Based on its name, I assume
        that it uses the OpenSSL license and thus shares the same issues as
        described for OpenSSL above.

libidn  http://josefsson.org/libidn/

        (Used for IDNA support) Uses the GNU Lesser General Public
        License [3]. LGPL is a variation of GPL with slightly less aggressive
        "copyleft". This license requires more requirements to be met when
        distributing binaries, see the license for details. Also note that if
        you distribute a binary that includes this library, you must also
        include the full LGPL license text. Please properly point out what
        parts of the distributed package that the license addresses.

OpenLDAP http://www.openldap.org/software/release/license.html

        (Used for LDAP support) Uses a Modified BSD-style license. Since
        libcurl uses OpenLDAP as a shared library only, I have not heard of
        anyone that ships OpenLDAP linked with libcurl in an app.

libssh2 http://www.libssh2.org/

        (Used for scp and sftp support) libssh2 uses a Modified BSD-style
        license.

[1] = GPL - GNU General Public License: http://www.gnu.org/licenses/gpl.html
[2] = http://www.fsf.org/licenses/gpl-faq.html#GPLIncompatibleLibs details on
      how to write such an exception to the GPL
[3] = LGPL - GNU Lesser General Public License:
      http://www.gnu.org/licenses/lgpl.html
[4] = MPL - Mozilla Public License:
      http://www.mozilla.org/MPL/