Can’t redistribute mod_security binaries!

Oh great.  Looking at Ubuntu Bug #19832, it seems Debian and Ubuntu dropped mod_security because of a complex licensing conflict.  Basically, mod_security comes under BSD and GPL licenses, but uses headers under the Apache Public License (APL).  Because of the way GPL and APL work, you can redistribute the source; however, after compilation, you can’t redistribute the binaries.  In short, Ubuntu and Debian can’t legally ship compiled binary packages of mod_security, due to a copyright violation against Apache.

Too many open source licenses right?  Wrong.  Breach Security decided to specifically create the license conflict as a business decision.  I can’t tell exactly why; possibly to keep Apache from absorbing mod_security as an official Apache sub-project.  They do point out on their download page that several distributions supply packages of mod_security, so they obviously don’t mind; besides, the foul goes against Apache here, not mod_security.

So mod_security won’t change its license because Breach Security created this conflict as a business decision.  What if we fix the conflict another way?  What if Apache relicensed the header files in Apache to the MIT license, but kept the actual program logic (i.e. C source) as APL?  This would create a situation where Apache risks someone “stealing” its headers for a close-sourced product, but would still force such an entity to rewrite all of Apache’s code from scratch.  It would also leave anyone free to use the headers for Apache to do whatever they please, including write any kind of open or closed source Apache module.

Such a move would instantly free Ubuntu and Debian to ship mod_security.  It would also irritate Breach Security, possibly resulting in a closed source mod_security.  Because Breach keeps their latest development code out there, anyone could pick up the latest snapshot and continue mod_security under GPL; in short, Apache could easily (given eager developers) turn such a move by Breach into an XFree86/Xorg fiasco.  Closing the source would severely damage Breach’s business model in this scenario.

I will bring this possibility up to the Ubuntu devel-discuss list soon.  From there I may manage to persuade some high-profile Ubuntu developers to work with the Apache Software Foundation to negotiate a partial relicense of the Apache headers.  Failing that, I can rewrite the headers required to build an Apache module, giving an alternate way to produce a binary mod_security; a look through the developer documentation will give me all I need.


~ by John Moser on November 2, 2007.

One Response to “Can’t redistribute mod_security binaries!”

  1. 1. The GPL doesn’t preclude debian/ubuntu redistributing an Apache module. See the history of debian and mod_proxy_html (including on debian’s legal issues mailinglist) for details.

    2. mod_security has been GPL since long before Breach acquired it.

    You might want to see
    including the comments.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: