On Wed, Oct 18, 2017 at 9:23 AM Thierry <sage-googlesu...@lma.metelu.net> wrote:
> Hi, > > the dichotomy of the vote is not clear to me. > > I am -1 to make openssl a stantard package (hence shipped with the source > tarball), not only regarding licensing issues but also for security > reasons: our "package manager" is such that packages can not be updated > unless Sage itself is updated (because the package version is hardcoded). > Hence, when a security issue is found and fixed in openssl, the user who > installed it from Sage won't get it until the user upgrades Sage (while > every decent distro will provide a hotfix). > > However, i am +1 that we should do our best to let the user have an > openssl-enabled version of Sage (for pip, R, some cryptographic hash,...), > an acceptable workflow could be: > > - check if libssl-dev (or similar) is installed on the OS > - yes: > - use it > - no: > - strongly complain about it, provide documentation on how to do it > (possibly provide a doc that depends on the system), > - propose 3 options: > - "i will install openssl from the distro, and come back later > (recommended)" > - "i want Sage to install openssl optional package, i know that > there will be security issues" > - "i do not want openssl support, i know that i will not be able > to install any R or Python package from the web" > > If the last point (compiling Sage without openssl support) requires a lot > of work, i am OK to remove it (i am not sure if this is the point of the > vote). > > Note that that there is no chicken-and-eggs issue since the way our > "package manager" works allows to install an optional package without > having to rely on openssl (no https), we only rely on the computation of > sha1 which python-hashlib offers even if it is build without openssl > support. > > By the way, Sage is not GPL-3+ but GPL-2+. > > <troll> > > Mac fans claim that paying a computer 1.5 the price of a random PC with > similar charateristics if justified by the fact that OSX is soooo > user-friendly, perhaps didn't they find the openssl one-click installer > right in the middle of the screen yet. > > Proposal: require Apple a grant, corresponding to the huge amount of time > Sage developpers waste in porting Sage components (not only openssl, just > have a look at trac, sage-devel and ask timelines) on their broken and > constantly changing OS. This is not our job to help Apple pretend their > system is user-friendly, we are losing a lot of energy which could be > spent in much more interesting parts of Sage (e.g. mathematics). > > </troll> > > Ciao, > Thierry For what it is worth, I strongly agree with everything you write above. +1 William > > > > > On Mon, Oct 16, 2017 at 03:08:51AM -0700, Emmanuel Charpentier wrote: > > [ The first post started too fast... Sorry for the interruption ! ] > > > > Following numerous discussions on this list and various Trac tickets*, > the > > issue of maintaining Sage-specific patches to various components of Sage > > emerged again about the proposed upgrade > > <https://trac.sagemath.org/ticket/24026> of R to 3.4.2 (discussed here > > <https://groups.google.com/forum/#!topic/sage-devel/rhMrNK_2c24>). > William > > again raises > > <https://groups.google.com/d/msg/sage-devel/rhMrNK_2c24/WQ5FPmsiAQAJ> > the > > issue of security. > > > > Since Trac#22189 <https://trac.sagemath.org/ticket/22189>, installation > of > > a systemwide opennssl is recommended (may be too strongly > > <https://trac.sagemath.org/ticket/22620>, in the taste of some > respectable > > Sage developers...). The ongoing relicensing of OpenSSL should lift the > > last barriers to its inclusion in sage. A discussed here > > <https://groups.google.com/forum/#!topic/sage-devel/rhMrNK_2c24>,, the > > probability of a legal problem related to the incusion of this library in > > Sage seems infinitesimal. > > > > It has beeen furthermore suggested > > <https://groups.google.com/d/msg/sage-devel/rhMrNK_2c24/GYHzsSd6BAAJ> to > > add to our licensing (an adaptatin of) the following language, used in > Gnu > > Wget License (GPL) : > > > > "Additional permission under GNU GPL version 3 section 7 > > > > If you modify this program, or any covered work, by linking or combining > it > > with the OpenSSL project's OpenSSL library (or a modified version of that > > library), containing parts covered by the terms of the OpenSSL or SSLeay > > licenses, the Free Software Foundation grants you additional permission > to > > convey the resulting work. Corresponding Source for a non-source form of > > such a combination shall include the source code for the parts of OpenSSL > > used as well as that of the covered work." > > > > > > The proposed inclusion would entail : > > > > - Deprecation of our OpenSSL-avidance patches > > - Standardization of SSL communications on OpenSSL > > - At compilation, research of a systemwide OpenSSL > > - If found : do nothing > > - In not found : installation of OpenSSL in the Sage tree from a > > Sage-specific repository (as for most of our standard and optional > > packages...). > > - Licensing clarification > > > > In short, we have two options : include OpenSSL now (using language > > clarification), or wait for the complete OpenSSL relicensing. The exact > > terms of the vote are therefore : > > > > |_| Yes, we should fully support OpenSSL now, and clarify the licensing > > issue. > > > > |_| No, we should wait until OpenSSL finishes fixing their license > > situation formally. > > > > The vote will take place as answers to this post, and will be open until > > Monday October 23, 14h UTC. > > > > Sincerely yours, > > > > > > Emmanuel Charpentier > > > > * Perusing the results of searching Trac and sage-devel Google group is > > enlightening... > > -- > > Emmanuel Charpentier > > > > -- > > You received this message because you are subscribed to the Google > Groups "sage-devel" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to sage-devel+unsubscr...@googlegroups.com. > > To post to this group, send email to sage-devel@googlegroups.com. > > Visit this group at https://groups.google.com/group/sage-devel. > > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "sage-devel" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to sage-devel+unsubscr...@googlegroups.com. > To post to this group, send email to sage-devel@googlegroups.com. > Visit this group at https://groups.google.com/group/sage-devel. > For more options, visit https://groups.google.com/d/optout. > -- -- William Stein -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
