[Chicken-hackers] Re: Backdoor GPL in message-digest

[Jim Ursetto]

On Mon, Aug 23, 2010 at 14:43, Kon Lovett <address@hidden> wrote:
> Assume a component of package A uses something that is GPL'ed, but no other
> component in that package uses the GPL tainted component (it is "just along
> for the ride"). Then all components of package A are tainted?

> Doesn't this reasoning lead to the absurd conclusion that any software
> installation with a GPL'ed component somewhere is tainted? Or is it just the
> act of packaging? Then the Chicken svn repo is tainted since it can be
> delivered as a package?

As Peter said it has to do with being a derivative work -- if you
dynamically link against a library that falls under GPL and you
release your application, then you must also release your source code
under GPL.  Yes, it is transitive.  No, simply distributing a package
licensed under GPL with your package does not exhibit this problem,
there needs to be a functional API dependency which is typically
expressed by static or dynamic linking or code inclusion.  LGPL
resolves this by allowing dynamic linking.  As a non-lawyer I approach
this by considering it safe to have LGPL in the dependency chain but
never GPL, unless the entire chain is already GPL.

>> We'd appreciate it if you would remove this dependency.
> Done.

Thank you Kon.  The denizens of #chicken appreciate it.  (Feel free to
join us sometime.)

Jim