On Sat, Dec 31, 2016 at 5:55 PM, Emmanuel Charpentier <emanuel.charpent...@gmail.com> wrote: > Should we openly depend on OpenSSL ? If so, how to express it ? > > I'd vote for that, and for warning of the penalties involved by the non-use > of OpenSSL, probably in terms close to those of the Python license.
Just to add to what you say, I support openly depending on OpenSSL, just as Python depends on OpenSSL. It really does seem to be the only solution to the whole problem that is compatible with the GPL, the OpenSSL license (https://www.openssl.org/docs/faq.html#LEGAL2), and Python's current dependence on OpenSSL. It's also worth thinking about who exactly would complain about our use of OpenSSL. It's not the OpenSSL devs, and almost nothing in the Python ecosystem (which is mostly GPL-free). It's the Sage library itself, and some of our dependencies. In case you're curious, OpenSSL was a standard package in Sage for a month or two, around 2007, I think (I added it). Then a student in my class told me that the OpenSSL license is GPL incompatible (due to a statement in the openSSL license about advertising materials), and I was pretty pissed. I then spent a lot of time removing OpenSSL from Sage, then fully integrating GNUTLS, and all (the many) dependencies into Sage. For several years, I think, we distributed and built GNUTLS as a standard package in Sage, and I have many not-fond memories of dealing with build issues, etc. I also remember some users considered GNUTLs very second rate regarding security quality and audit, and *refused* to use it (for fear of being compromised), so I still had to maintain the ability to build Sage against OpenSSL. There were also a lot of issues getting sagenb over https to work with GNUTLS -- I remember patching some Python library, which only supported OpenSSL. Eventually, and I can't really remember why, I (or somebody else?) removed GNUTLS from Sage, and we ended up with what we have now. Throughout all this, I always wondered whether OpenSSL + Sage is really GPL incompatible. I believe there is no binary linking between OpenSSL and any GPL'd component of Sage... except maybe R (?). There is some question whether it is a GPL violation to distribute Python + OpenSSL + a GPL'd Python library. I am sooooo not a lawyer. Now I think the best thing to do regarding this problem is what the most other people do, which is depend on an existing installed OpenSSL. William > Your advice, please ? > > HTH, > > -- > Emmanuel Charpentier > > -- > You received this message because you are subscribed to the Google Groups > "sage-devel" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to sage-devel+unsubscr...@googlegroups.com. > To post to this group, send email to sage-devel@googlegroups.com. > Visit this group at https://groups.google.com/group/sage-devel. > For more options, visit https://groups.google.com/d/optout. -- William (http://wstein.org) -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
