# Latest update to security/stunnel removes libressl support



## Wapcaplet (Oct 21, 2016)

The latest commit/upgrade to security/stunnel removes the patches that allow the port to build with security/libressl:

https://svnweb.freebsd.org/ports?view=revision&revision=424369

Does this mean we're on our own to patch stunnel to support libressl?  Why can't the port still include the patches even if upstream refuses to support them?


----------



## marino (Oct 21, 2016)

I asked zi@ to answer it.  As the person that committed those patches, I'd like to know myself.


----------



## marino (Oct 21, 2016)

It might be answered here, sort of: https://www.stunnel.org/pipermail/stunnel-users/2015-March/004990.html



> GPL 2.0 section 3 allows stunnel to be linked against
> GPL-incompatible libraries included with the operating system.
> This is the case for LibreSSL on the FreeBSD operating system.
> 
> ...


----------



## marino (Oct 21, 2016)

it's weird, it sounds like Mike approves it on FreeBSD but not others.  The reasoning for either is unclear to me. 
It also sounds like the port could be set to NO_PACKAGE MANUAL_PACKAGE if libressl is detected so people can build it themselves (which avoids distribution)


----------



## tobik@ (Oct 21, 2016)

I'm reminded of this old article from Ted Unangst about stunnel and LibreSSL: http://www.tedunangst.com/flak/post/the-peculiar-libretunnel-situation


----------



## marino (Oct 21, 2016)

yep, I just came back to post that.  weird.


----------



## marino (Oct 21, 2016)

so 2 more thoughts:

DragonFly, TrueOS, and HardenBSD are a different case than FreeBSD, because the former provide libressl as part of the OS, so it's covered by GPL already and I don't think stunnel author can subvert that
stunnel author apparently has a beef with libressl and is intentionally trying to block its adoption
sounds like its time to find a new tunnel program


----------



## Wapcaplet (Oct 21, 2016)

I'd love to find another secure tunnel program that meets my use case (tunneling SMB without maintaining a constant connection between client and server), given how obstinate the developer is.  Does such a thing exist?  I previously tunneled an SMB connection over SSH, but that required a constant SSH connection.

In any event, I'm still not convinced that the license actually lets the developer legally do what he wants to do.


----------



## marino (Oct 21, 2016)

you shouldn't be.
The stunnel license covers modified OpenSSL if the license is unchanged.  Isn't LibreSSL just a modified OpenSSL with the same license?  If so, there's no problem for *any* OS.
Secondly, I think "distribution" is a key word.  There should be no legal problem with manually building as long as the resulting package is not distributed (against assuming the first bullet isn't in effect)

I think this guy just shot off his mouth without thinking, and now feels compelled to dig in his heels so he doesn't have to admit he's wrong.


----------



## Wapcaplet (Oct 21, 2016)

You're right -- LibreSSL is released under the OpenSSL license.  I erroneously thought it had been relicensed somehow.  And the official FreeBSD stunnel package links to OpenSSL, so there's no distribution of a LibreSSL-linked version.

So the patches should be recommitted.


----------



## marino (Oct 21, 2016)

yeah, I think zi@ should reconsider based on what's been said and revealed here.  You have a good point that the patches don't hurt the baseline openssl build, they just enable the build for people that specify libressl optionally or the 3 OSs that have libressl in base (which is already covered by GPL system library exception and thus exempt already)


----------



## kpa (Oct 22, 2016)

The developer would be on very shaky ground if someone challenged the case and took it to a court, he is basically saying that he can by his whim re-interpret and re-write the licensing conditions he originally chose for his software. That's not going to fly very far.

That challenge is not going to come from FreeBSD though, the Foundation and the Project try to avoid legal confrontations at all cost.

Ironically, the GPL offers too much "freedom" now


----------



## Wapcaplet (Oct 24, 2016)

Any updates on this?  I was holding off on patching the port locally in the hope that this would be fixed.


----------

