Asterisk GPL Compliance

How to make your Asterisk code base GPL compliant


Due to the large number of different open source licenses it can be difficult to understand which software components can be used within GPL released software and how. From time to time, software components with GPL incompatible licensing or usage terms are introducted to GPL software in error. Asterisk is no exception.

The purpose of this wiki page is to identify such mistakes and collect information how licensing problems can be resolved.

For a list of GPL compatible and GPL incompatible licenses see http://www.gnu.org/philosophy/license-list.html.

For further information read the article "What legal issues come up if I use GPL-incompatible libraries with GPL software?" at GNU.org.



Editline library


Asterisk ships with Editline, a NetBSD library statically linked into the asterisk binary. This library is released under the 4 clause license that NetBSD uses to this day which is incompatible with the GPL. In order to resolve the licensing conflict Editline must be replaced. Without resolving this conflict, the GPL license of the Asterisk distribution is technically invalidated which means nobody has the right to use, modify nor distribute Asterisk with the exception of Asterisk Business Edition customers (commercially licensed).

However, the GPL license is not invalidated on those files which do not touch Editline which means it is possible to replace Editline with a library that is licensed under a GPL compatible license such as GNU Readline, and thereby get an Asterisk package for which the GPL license applies. In other words is not necessary to wait for Digium to fix this issue, it can be done by anyone with the skill to replace the offending library.

For an initial patch to implement this, see http://bugs.digium.com/view.php?id=6636 . Note, however, that it seems like this won't get into Asterisk anytime soon.

Digium's GPL key for Asterisk modules


Digium has added a paragraph of text under the symbol ASTERISK_GPL_KEY in include/asterisk/module.h which every Asterisk module must return when a function *key() is called by the module loader. This paragraph makes a claim that modules must only be released under the GPL license, not any other license, which excludes GPL compatible licensing and thereby constitutes an additional restriction which is explicitly prohibited by section 7 of the GPL. see http://www.eff.org/legal/cases/Lexmark_v_Static_Control/20041026_Ruling.pdf for additional information on this type of activity and generally why that paragraph cant even be legally copyrighted (at least in America, where digium is based).

Some module authors who wanted to license their modules under LGPL or other GPL compatible licenses have been concerned that by using and returning Digium's key they may be in legal limbo because Digium claims that the paragraph of text which the key represents cannot be legally used by a module that is not GPL licensed. Some have even suggested that the use of Digium's key alone constitutes agreement with their claim.

In order to provide a workaround for module authors who wish to released moduls under LGPL (or other GPL compatible licenses) without using Digium's key, a header file 'astlgplkey.h' which contains a replacement key and legal disclaimers and comments has been released into the public domain.

To use the interoperability key
  • download astlgplkey.h
  • add the file to the directory include/asterisk in your Asterisk source tree
  • add #include <asterisk/astlgplkey.h> in your Asterisk module
  • replace ASTERISK_GPL_KEY with ASTERISK_LGPL_KEY (or INTEROPERABILITY_KEY)
  • rebuild

An example of a BSD licensed Asterisk module using this workaround can be found here

The ideal solution would be to simply remove the Digium GPL key and its verification code in loader.c altogether.

To remove the verification code
  • edit loader.c
  • remove #include <asterisk/md5.h>
  • remove static variable expected_key
  • remove functions printdigest, key_matches and verify_key
  • remove if-block "if (key && verify_key(key)) { ..." in function ast_load_resource
  • edit include/asterisk/module.h
  • redefine ASTERISK_GPL_KEY as "\0"
  • alternatively, remove ASTERISK_GPL_KEY and remove function *key() from each module
  • rebuild

Please note that if you currently redefine ASTERISK_GPL_KEY to anything other than what it is you make your modules incompatible with unpatched versions of asterisk, as such it may be a bit premature to take that part out, however removing the key check functions wont harm anything for pre/post patched modules. In essence that patch removes all checking and verification of the lockout key.

A patch for loader.c against SVN-branch-1.2-r7917M exists. This should work against 1.2.x and possibly 1.0.x although it has not been tested against 1.0.x.


OpenSSL

OpenSSL is used for cryptographic functions in both res_crypto.so and the asterisk binary.

OpenSSL is considered GPL incompatible. A common way around this is to slightly modify the license to allow linking with OpenSSL. This method is used with Asterisk and will generally work, however most of the modules in asterisk-addons don't have that modified GPL license and are thus incompatiible.

How to make your Asterisk code base GPL compliant


Due to the large number of different open source licenses it can be difficult to understand which software components can be used within GPL released software and how. From time to time, software components with GPL incompatible licensing or usage terms are introducted to GPL software in error. Asterisk is no exception.

The purpose of this wiki page is to identify such mistakes and collect information how licensing problems can be resolved.

For a list of GPL compatible and GPL incompatible licenses see http://www.gnu.org/philosophy/license-list.html.

For further information read the article "What legal issues come up if I use GPL-incompatible libraries with GPL software?" at GNU.org.



Editline library


Asterisk ships with Editline, a NetBSD library statically linked into the asterisk binary. This library is released under the 4 clause license that NetBSD uses to this day which is incompatible with the GPL. In order to resolve the licensing conflict Editline must be replaced. Without resolving this conflict, the GPL license of the Asterisk distribution is technically invalidated which means nobody has the right to use, modify nor distribute Asterisk with the exception of Asterisk Business Edition customers (commercially licensed).

However, the GPL license is not invalidated on those files which do not touch Editline which means it is possible to replace Editline with a library that is licensed under a GPL compatible license such as GNU Readline, and thereby get an Asterisk package for which the GPL license applies. In other words is not necessary to wait for Digium to fix this issue, it can be done by anyone with the skill to replace the offending library.

For an initial patch to implement this, see http://bugs.digium.com/view.php?id=6636 . Note, however, that it seems like this won't get into Asterisk anytime soon.

Digium's GPL key for Asterisk modules


Digium has added a paragraph of text under the symbol ASTERISK_GPL_KEY in include/asterisk/module.h which every Asterisk module must return when a function *key() is called by the module loader. This paragraph makes a claim that modules must only be released under the GPL license, not any other license, which excludes GPL compatible licensing and thereby constitutes an additional restriction which is explicitly prohibited by section 7 of the GPL. see http://www.eff.org/legal/cases/Lexmark_v_Static_Control/20041026_Ruling.pdf for additional information on this type of activity and generally why that paragraph cant even be legally copyrighted (at least in America, where digium is based).

Some module authors who wanted to license their modules under LGPL or other GPL compatible licenses have been concerned that by using and returning Digium's key they may be in legal limbo because Digium claims that the paragraph of text which the key represents cannot be legally used by a module that is not GPL licensed. Some have even suggested that the use of Digium's key alone constitutes agreement with their claim.

In order to provide a workaround for module authors who wish to released moduls under LGPL (or other GPL compatible licenses) without using Digium's key, a header file 'astlgplkey.h' which contains a replacement key and legal disclaimers and comments has been released into the public domain.

To use the interoperability key
  • download astlgplkey.h
  • add the file to the directory include/asterisk in your Asterisk source tree
  • add #include <asterisk/astlgplkey.h> in your Asterisk module
  • replace ASTERISK_GPL_KEY with ASTERISK_LGPL_KEY (or INTEROPERABILITY_KEY)
  • rebuild

An example of a BSD licensed Asterisk module using this workaround can be found here

The ideal solution would be to simply remove the Digium GPL key and its verification code in loader.c altogether.

To remove the verification code
  • edit loader.c
  • remove #include <asterisk/md5.h>
  • remove static variable expected_key
  • remove functions printdigest, key_matches and verify_key
  • remove if-block "if (key && verify_key(key)) { ..." in function ast_load_resource
  • edit include/asterisk/module.h
  • redefine ASTERISK_GPL_KEY as "\0"
  • alternatively, remove ASTERISK_GPL_KEY and remove function *key() from each module
  • rebuild

Please note that if you currently redefine ASTERISK_GPL_KEY to anything other than what it is you make your modules incompatible with unpatched versions of asterisk, as such it may be a bit premature to take that part out, however removing the key check functions wont harm anything for pre/post patched modules. In essence that patch removes all checking and verification of the lockout key.

A patch for loader.c against SVN-branch-1.2-r7917M exists. This should work against 1.2.x and possibly 1.0.x although it has not been tested against 1.0.x.


OpenSSL

OpenSSL is used for cryptographic functions in both res_crypto.so and the asterisk binary.

OpenSSL is considered GPL incompatible. A common way around this is to slightly modify the license to allow linking with OpenSSL. This method is used with Asterisk and will generally work, however most of the modules in asterisk-addons don't have that modified GPL license and are thus incompatiible.

Created by: STS, Last modification: Wed 10 of Sep, 2008 (08:32 UTC) by admin
Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - Find us on Google+