Notes from Christina Sørensen — software engineer, NixOS Steering Committee, author of eza. Zola 2024-06-17T14:00:00+00:00 https://point.free/tags/rust/atom.xml 2024-06-17T14:00:00+00:00 2024-06-17T14:00:00+00:00 Christina Sørensen https://point.free/blog/rusts-ring-problem/ <p>I should preface this with the fact that I am by no means a lawyer or anything like it. Nothing here constitutes a legal argument or should be taken as true. I may be completely wrong or have missed crucial details.</p> <p>As part of a rust project I’ve been working on at dayjob, I’ve had to audit all dependencies for license compatibility with the AGPLv3, our preferred license. Sadly, I encountered what I think is a major ecosystem blocker, and we will likely not be able to license the code under AGPLv3, or any GPL license for that matter, having to go with a more permissive, but compatible license until the problem this post is about is fixed. Which is a shame, and something I wanna bring more attention to.</p> <hr /> <p>A fairly fundamental crate in rust is <a href="https://github.com/briansmith/ring">ring</a>, providing “safe, fast, small crypto using Rust”. To understand how fundamental it is, consider that other crates such as <a href="https://github.com/rustls/rustls">rustls</a>, the <a href="https://github.com/awslabs/aws-sdk-rust">aws-sdk-rust</a> crate, and <a href="https://github.com/rustls/sct.rs">sct</a> make use of ring. And this is by no means an exhaustive list.</p> <p>The problem with ring, as you may well notice if you dare read its rather convoluted <a href="https://github.com/briansmith/ring?tab=License-1-ov-file#readme">license</a><sup class="footnote-reference" id="fr-1-1"><a href="#fn-1">[1]</a></sup>, is that amongst it’s licenses is the OpenSSL license. The problem with the OpenSSL license is it’s equivalent to a BSD4 clause license. That is, it contains the problematic advertisement clause.</p> <pre data-lang="txt" class="language-txt z-code"><code class="language-txt" data-lang="txt"><span class="z-text z-plain"> * 3. All advertising materials mentioning features or use of this </span><span class="z-text z-plain"> * software must display the following acknowledgment: </span><span class="z-text z-plain"> * &quot;This product includes software developed by the OpenSSL Project </span><span class="z-text z-plain"> * for use in the OpenSSL Toolkit. (http://www.openssl.org/)&quot; </span></code></pre> <p>This clause is <a href="https://opensource.stackexchange.com/questions/8040/why-does-the-clause-3-of-4-clause-bsd-makes-it-incompatible-with-gpl">well known</a> for being GPL-incompatible, and indeed, if you look up the OpenSSL license on the <a href="https://gnu.org">gnu.org</a> list <a href="https://www.gnu.org/licenses/license-list.en.html#OpenSSL">of gpl compatible licenses</a>, it is indeed the case that the license is considered GPL-incompatible.</p> <p>But so what? Big deal?</p> <p>Big deal… yes. This means that if you want to interface with s3 storage<sup class="footnote-reference" id="fr-3-1"><a href="#fn-3">[2]</a></sup>, or use rustls, you’ll be GPL incompatible!</p> <p>For example, consider the following GNU Affero General Public License Version 3 projects that use crates in the <code>aws-sdk</code> suite, or <code>rustls</code>.</p> <ul> <li><a href="https://github.com/zed-industries/zed">zed</a></li> <li><a href="https://github.com/signalapp/Signal-Calling-Service">Signal-Calling-Service</a></li> <li><a href="https://github.com/deuxfleurs-org/garage">garage s3</a></li> <li><a href="https://github.com/quickwit-oss/quickwit">quickwit</a></li> <li><a href="https://github.com/rustdesk/rustdesk">rustdesk</a></li> </ul> <p>And these are just some quick examples I found with a quick github search, there is probably much more software currently out there in the rust ecosystem that’s using a license that its crates are fundamentally incompatible with<sup class="footnote-reference" id="fr-2-1"><a href="#fn-2">[3]</a></sup>.</p> <p>While this is a problem the <code>ring</code> crate <a href="https://github.com/briansmith/ring/issues/1827">seems to be aware of</a>, it’s sad to see that there is such a large wound on the FOSS compatibility of the rust crate ecosystem. Not to put any blame anywhere. I am well aware that if this was easy to fix, it wouldn’t be a problem anymore, and anyone wanting to criticize the ring devs should spend the effort helping them fix the situation, rather than complaining, they seem eager to solve this. But it is something I think needs more awareness.</p> <p>Update 2024-06-19: We’ll try to go with EUPL-1.2, as it is compatible with all BSD licenses. Also, it seems to have many other useful properties. This does not make the problem disappear however, but it does create a path forward for a stronger license for rust projects affected that want SaaS loophole protections.</p> <hr><ol class="footnotes-list"> <li id="fn-1"> <p>This is a problem the ring devs are working on. Let it be a lesson to start your project off using <a href="https://reuse.software/">REUSE</a> or paying the price down the line &gt;:3 <a href="#fr-1-1">↩</a></p> </li> <li id="fn-3"> <p>Yes, there are other crates than the aws-sdk, but when investigating this for the project in question, none seem to be tennable solutions. Vet your dependencies! <a href="#fr-3-1">↩</a></p> </li> <li id="fn-2"> <p>Yes, there are potential ways to mitigate this, but by a quick skim, I haven’t seen any of those implemented in these projects, and implementing them would likely be both architecturally ugly, and horribly inefficient. For… reasons, I’ll not actually elaborate on how you could potentially circumvent licenses like this, because I’m really not a lawyer. <a href="#fr-2-1">↩</a></p> </li> </ol>