William Allen Simpson wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Ben Laurie wrote:
> >
> > As far as I can tell, the problems are invented rather than real. At
> > least I can't recall any real problems except "it isn't the licence we
> > want it to be".
> >
> I was not aware that OpenSSL had changed to be compatible with GPL.
> And I cannot find the license statement on the web pages.
The licence has not changed.
> Specific concerns from email were:
>
> From: [EMAIL PROTECTED] (Tim Hudson)
>
> BTW the SSLeay license was not derived from the Apache license, but
> actually from the original BSD licensing terms with some changes added to
> prevent problems that had occured with previously released software being
> adopted into other licensing schemes and other people claiming authorship
> of software they did not write.
>
> I wrote the SSLeay license to go with the first public release
> of the SSLeay code so I think that my understanding of the origin of
> the license can probably be accepted as accurate :-)
I don't see any concerns here, just a history lesson.
> From: Frank Hecker <[EMAIL PROTECTED]>
>
> I think getting rid of the advertising requirement in the OpenSSL
> license needs to be done anyway, to eliminate potential problems with
> using OpenSSL code in other projects where the GPL is used. However note
> that making the change is not as simple as it sounds, because in order
> to change the OpenSSL license you'll have to get permission from all the
> OpenSSL contributors.
And this, as far as I can work out, is really just saying "it isn't the
licence we want". There is no requirement in GPL for the OpenSSL licence
(or any other) to not have an advertising requirement, again, as far as
I can work out - where does it say that?
> > Gasp! What do you mean? Can you name a platform it doesn't run on?
> >
> For example, I'm writing this on MacOS. Although there was a single
> reference to MacOS buried on the web pages, it doesn't appear to be
> ready for prime time.
The current beta has MacOS support.
> > Of free software? That's silly.
> >
> > To clarify: there may be a reason to have other implementations to
> > _test_ the "real" one, but there's no point in duplicating the massive
> > amount of work that has gone into optimising and porting OpenSSL.
> >
> I firmly disagree.
>
> For example, the first several implementations of IPSec and Photuris
> were "free", made in different countries and under different licenses.
> This continues to be very important to this day.
>
> It often takes a considerable length of time for minor problems to
> surface -- note the recent discovery of buffer overflow issues in
> RSAref 5 years after it had been widely used. Heterogeneity is
> of the utmost importance in maintaining a passibly secure
> infrastructure during a time of repair.
Here you may have a point, though given complete lack of compatibility
at the API level, I'm not sure how this point can apply to OpenSSL and
NSS.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
Coming to ApacheCon Europe 2000? http://apachecon.com/
