On Wed, Oct 18, 2017 at 6:37 PM, William Stein <wst...@gmail.com> wrote: > > On Wed, Oct 18, 2017 at 9:23 AM Thierry <sage-googlesu...@lma.metelu.net> > wrote: >> >> Hi, >> >> the dichotomy of the vote is not clear to me. >> >> I am -1 to make openssl a stantard package (hence shipped with the source >> tarball), not only regarding licensing issues but also for security >> reasons: our "package manager" is such that packages can not be updated >> unless Sage itself is updated (because the package version is hardcoded). >> Hence, when a security issue is found and fixed in openssl, the user who >> installed it from Sage won't get it until the user upgrades Sage (while >> every decent distro will provide a hotfix). >> >> However, i am +1 that we should do our best to let the user have an >> openssl-enabled version of Sage (for pip, R, some cryptographic hash,...), >> an acceptable workflow could be: >> >> - check if libssl-dev (or similar) is installed on the OS >> - yes: >> - use it >> - no: >> - strongly complain about it, provide documentation on how to do it >> (possibly provide a doc that depends on the system), >> - propose 3 options: >> - "i will install openssl from the distro, and come back later >> (recommended)" >> - "i want Sage to install openssl optional package, i know that >> there will be security issues" >> - "i do not want openssl support, i know that i will not be able >> to install any R or Python package from the web" >> >> If the last point (compiling Sage without openssl support) requires a lot >> of work, i am OK to remove it (i am not sure if this is the point of the >> vote). >> >> Note that that there is no chicken-and-eggs issue since the way our >> "package manager" works allows to install an optional package without >> having to rely on openssl (no https), we only rely on the computation of >> sha1 which python-hashlib offers even if it is build without openssl >> support. >> >> By the way, Sage is not GPL-3+ but GPL-2+. >> >> <troll> >> >> Mac fans claim that paying a computer 1.5 the price of a random PC with >> similar charateristics if justified by the fact that OSX is soooo >> user-friendly, perhaps didn't they find the openssl one-click installer >> right in the middle of the screen yet. >> >> Proposal: require Apple a grant, corresponding to the huge amount of time >> Sage developpers waste in porting Sage components (not only openssl, just >> have a look at trac, sage-devel and ask timelines) on their broken and >> constantly changing OS. This is not our job to help Apple pretend their >> system is user-friendly, we are losing a lot of energy which could be >> spent in much more interesting parts of Sage (e.g. mathematics). >> >> </troll> >> >> Ciao, >> Thierry > > > For what it is worth, I strongly agree with everything you write above. +1
Also +1 with some quibbles about <troll> section (agree with in principle, but in tone or nuance). But big +1 for the proposed implementation, including the strong and informative warning messages :) >> On Mon, Oct 16, 2017 at 03:08:51AM -0700, Emmanuel Charpentier wrote: >> > [ The first post started too fast... Sorry for the interruption ! ] >> > >> > Following numerous discussions on this list and various Trac tickets*, >> > the >> > issue of maintaining Sage-specific patches to various components of Sage >> > emerged again about the proposed upgrade >> > <https://trac.sagemath.org/ticket/24026> of R to 3.4.2 (discussed here >> > <https://groups.google.com/forum/#!topic/sage-devel/rhMrNK_2c24>). >> > William >> > again raises >> > <https://groups.google.com/d/msg/sage-devel/rhMrNK_2c24/WQ5FPmsiAQAJ> >> > the >> > issue of security. >> > >> > Since Trac#22189 <https://trac.sagemath.org/ticket/22189>, installation >> > of >> > a systemwide opennssl is recommended (may be too strongly >> > <https://trac.sagemath.org/ticket/22620>, in the taste of some >> > respectable >> > Sage developers...). The ongoing relicensing of OpenSSL should lift the >> > last barriers to its inclusion in sage. A discussed here >> > <https://groups.google.com/forum/#!topic/sage-devel/rhMrNK_2c24>,, the >> > probability of a legal problem related to the incusion of this library >> > in >> > Sage seems infinitesimal. >> > >> > It has beeen furthermore suggested >> > <https://groups.google.com/d/msg/sage-devel/rhMrNK_2c24/GYHzsSd6BAAJ> to >> > add to our licensing (an adaptatin of) the following language, used in >> > Gnu >> > Wget License (GPL) : >> > >> > "Additional permission under GNU GPL version 3 section 7 >> > >> > If you modify this program, or any covered work, by linking or combining >> > it >> > with the OpenSSL project's OpenSSL library (or a modified version of >> > that >> > library), containing parts covered by the terms of the OpenSSL or SSLeay >> > licenses, the Free Software Foundation grants you additional permission >> > to >> > convey the resulting work. Corresponding Source for a non-source form of >> > such a combination shall include the source code for the parts of >> > OpenSSL >> > used as well as that of the covered work." >> > >> > >> > The proposed inclusion would entail : >> > >> > - Deprecation of our OpenSSL-avidance patches >> > - Standardization of SSL communications on OpenSSL >> > - At compilation, research of a systemwide OpenSSL >> > - If found : do nothing >> > - In not found : installation of OpenSSL in the Sage tree from a >> > Sage-specific repository (as for most of our standard and optional >> > packages...). >> > - Licensing clarification >> > >> > In short, we have two options : include OpenSSL now (using language >> > clarification), or wait for the complete OpenSSL relicensing. The exact >> > terms of the vote are therefore : >> > >> > |_| Yes, we should fully support OpenSSL now, and clarify the licensing >> > issue. >> > >> > |_| No, we should wait until OpenSSL finishes fixing their license >> > situation formally. >> > >> > The vote will take place as answers to this post, and will be open until >> > Monday October 23, 14h UTC. >> > >> > Sincerely yours, >> > >> > >> > Emmanuel Charpentier >> > >> > * Perusing the results of searching Trac and sage-devel Google group is >> > enlightening... >> > -- >> > Emmanuel Charpentier >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups "sage-devel" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to sage-devel+unsubscr...@googlegroups.com. >> > To post to this group, send email to sage-devel@googlegroups.com. >> > Visit this group at https://groups.google.com/group/sage-devel. >> > For more options, visit https://groups.google.com/d/optout. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "sage-devel" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to sage-devel+unsubscr...@googlegroups.com. >> To post to this group, send email to sage-devel@googlegroups.com. >> Visit this group at https://groups.google.com/group/sage-devel. >> For more options, visit https://groups.google.com/d/optout. > > -- > -- William Stein > > -- > You received this message because you are subscribed to the Google Groups > "sage-devel" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to sage-devel+unsubscr...@googlegroups.com. > To post to this group, send email to sage-devel@googlegroups.com. > Visit this group at https://groups.google.com/group/sage-devel. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
