RFC: OpenSSL vs. GNU GPL (affects security/openvpn)?

[Matthias Andree]

Hi,

it has recently been brought to my attention that the OpenVPN package
links against both OpenSSL (which is under a BSD-derived license with
advertising clause) and LZO (which is under the GNU GPL). OpenVPN itself
includes an exception to the GNU GPL allowing linking against OpenSSL.

The OpenVPN developers and Debian packagers (who brought this up first)
haven't yet been able to get special permission or a license change to
link LZO against OpenSSL (they sent a mail to the LZO maintainer in
January), so it seems there are now two options (there is a third one
but I don't consider that viable):

1. declare NOPACKAGE in the Makefile. That way, only the end user
   performs the link, but he doesn't redistribute the code, so the
   advertising clause doesn't bit the GNU GPL (is that correct?). This
   can cause user inconvenience.

2. remove LZO (real-time compression) support from OpenVPN. This can
   cause compatibility problems.

(3. Replace OpenSSL with some similar software that has a license
    compatible with the GPL. GNUTLS is to become something like this,
    but the maturity is unknown.)

How do I go about this now? I tend to use #1. Opinions? Is #1 sufficient
to solve the licensing issue?

-- 
Matthias Andree