Le dimanche 15 octobre 2017 20:57:43 UTC+2, William a écrit : > > > On Sun, Oct 15, 2017 at 11:40 AM Emmanuel Charpentier < > emanuel.c...@gmail.com <javascript:>> wrote: > >> Inspired by an ask.sagemath >> <https://ask.sagemath.org/question/38692/use-ttest-from-r-in-sage/> >> question, Trac#23980 <https://trac.sagemath.org/ticket/23980> adds a >> couple usage hints to the r<tab> help text. This very minor patch is >> unproblematic. >> >> Trac#24026 <https://trac.sagemath.org/ticket/24026>, on the other hand, >> upgrades R to the last current version. As usual, special attention is >> needed on our problem children of platforms (namely Mac OS X and Erik's >> Cygwin-64 port). >> >> All our current patches have been rebased against the current version ; >> no new patch is needed on Debian. However, I still have doubts about our >> decision to lift upstream's requirement of an https-enabled version of >> the SSL libraries (meaning OpenSSL, nowadays...). Does the ongoing >> OpenSSL's change of license change this situation (and our decision) ? >> > > Some history: > > - Around 8 or so years ago I included OpenSSL in Sage -- we shipped with > it for a few weeks. > - A student in one my classes pointed out the license problem, and then I > spent an epic and miserable amount of time switching to the GNU > alternatives to OpenSSL, which we shipped with Sage. > - Time passed... > - The OpenSSL project realized their license sucks this year. > - I think OpenSSL has still NOT yet relicensed, although they are trying > hard to do so. > - OpenSSL might fail to relicense; e.g., the ZeroMQ project has been > trying to switch from LGPL to MPLv2 for year(s) now, and can't seem to do > so. This ZeroMQ license is a major problem for use of Jupyter by certain > companies that don't want to use LGPL code internally. > - OpenSSL might succeed at relicensing, e.g., NetworkX was GPL licensed, > and really wanted to be BSD licensed -- they made a post saying something > kind of like "we are going to relicense in a week or two; if you're an > author and have a problem with this, let us know ASAP." And they > relicensed. Done. > - GPL has a "you can link against GPL-incompatible system libraries" > exemption (otherwise GPL software couldn't run on Windows, say), and > sometimes I hope this would apply to components of Sage linking against > OpenSSL, as long that OpenSSL isn't included in Sage. > > My gut feeling on this: > - We should either require OpenSSL be installed systemwide or just ship > OpenSSL with Sage. Security is way, way too important to expose our users > to potentially major security problems just because we're overly worried > about license issues. Moreover, I think there is no way the OpenSSL > copyright owners are going to sue us for violating their funny license by > including it in a GPLv3+ program, especially after announcing an intention > to switch to MPLv2, and getting most OpenSSL devs to sign off on that. > > ** By not just fully supporting and requiring OpenSSL for everything in > Sage, we are exposing all Sage users to an increased chance of installing > malicious software from repos. Let's not do that. ** >
I fully agree. Other respectable Sage developers don't... Previous efforts to raise a consensus on this point have failed. Should a formal vote be taken ? I add that I'm not sure that the CRAN network will maintain its http repositories when it's https-enabled network is complete... An that's but a part of a larger movement towards a (somewhat) more secured Web. -- Emmanuel Charpentier In retrospect, I wish I had never removed OpenSSL from Sage. > > -- William > > > > >> >> On Debian testing, both patches pass ptestlong with no failures >> whatsoever. R sort-of passes its own test suite (i. e. I get a couple of >> expected, announced failures, analogous to what we get with Python's test >> suite). >> >> -- >> Emmanuel Charpentier >> >> -- >> You received this message because you are subscribed to the Google Groups >> "sage-devel" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to sage-devel+...@googlegroups.com <javascript:>. >> To post to this group, send email to sage-...@googlegroups.com >> <javascript:>. >> Visit this group at https://groups.google.com/group/sage-devel. >> For more options, visit https://groups.google.com/d/optout. >> > -- > -- William Stein > -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
