On Mon, Jun 16, 2014 at 10:53 AM, <edgar.sol...@web.de> wrote: >> On the contrary I'd prefer if it doesn't. Nettle is an open project >> under LGPL that anyone can contribute and can be reused by a variety >> of software; polarssl is closed commercial project under a commercial >> license with a GPLv2 exception. > according to > https://polarssl.org/how-to-get > you can use the polarssl library properly under copyleft GPL2. if they offer > additional licenses does not matter.
That's what I already mentioned. The difference with open-source software is the missing "how to contribute page" (I consider the presence of a developer community a vital part of being open source). Otherwise, tomorrow you could be left with a GPLv2 codebase that is outdated an unmaintained if the X company desires that the GPLv2 codebase they release is no longer a good marketing approach. Another risk is to wait for years (or eternity) to get features that paying customers get (see matrixssl). On Mon, Jun 16, 2014 at 10:51 AM, Steven Barth <cy...@openwrt.org> wrote: >> On the contrary I'd prefer if it doesn't. Nettle is an open project >> under LGPL that anyone can contribute and can be reused by a variety >> of software; polarssl is closed commercial project under a commercial >> license with a GPLv2 exception. >Oh well, I sometimes have the feeling if its open-source + backed by a company >there is more interest in avoiding another case of heartbleed You could be right, but I'd expect a different set of bugs to be present rather than no bugs. Being commercial doesn't imply there are no bugs. My experience shows the contrary (and both openssl and gnutls are far from being non-commercial as they are backed from several companies that either contribute code or hire their developers). The advantage small implementations have initially over gnutls and openssl is the fact that they are smaller and support much less features, thus they are easy to check and have a smaller attack vector. Their disadvantage is that they need to get in par with the features of the other libraries (see for example how supporting cryptodev and modern algorithms improves performance in a small system [0], thus using a mainstream implementation pays off). In any case my opinion is biased as I am working on gnutls. regards, Nikos [0]. http://nmav.gnutls.org/2012/04/in-some-embedded-systems-space-may.html _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
