On 10/27/2017 10:53 AM, Emmanuel Charpentier wrote:
>
> Okay : I'm not still convinced, but I'll follow you on a "primum non
> nocere" basis.
>
> If we follow you, we have to take back any talk of *inclusion* right
> now. The solution is to depend *unconditionally* on a systemwide OpenSSL
> and stop building if not found, possibly hinting at steps to that effect.
That's what I would recommend. Otherwise, anyone distributing the
SageMath code or binaries is putting themselves at risk. Or more likely,
we're putting them at risk -- because I doubt many mirror operators are
following this discussion.
There are two separate issues with bundling:
a) distributing SageMath binaries linked against a non-system copy of
OpenSSL
b) distributing the source for "SageMath the distribution," which
sort-of includes a copy of the OpenSSL code
Linking creates a derivative work (most people agree on this), so the
resulting binaries in (a) cannot be distributed: doing so would violate
the GPL, because anyone receiving a copy would be subject to the
additional restrictions from the OpenSSL license.
The OpenSSL source code is no longer in our git repo; we do however ship
an SPKG that automatically downloads and patches the OpenSSL source to
integrate it with the rest of SageMath. Whether or not that creates a
non-distributable derivative work, I don't know -- but I would err on
the side of caution.
And don't forget that end users are free to do whatever they want. If we
tell them to download the OpenSSL tarball, patch it, and to put the
result somewhere in $SAGE_ROOT before running "make", then neither (a)
nor (b) is happening. That's perfectly legal, even though it makes the
argument in the previous paragraph look stupid (I went into math and not
law for a reason). The only "gotcha" there is that end users would not
be able to redistribute the resulting SageMath binaries, for the same
reason that we can't
> *After* OpenSSL relicensing, we can introduce a standard openssl
> package, whith no huffing and puffing.
Right, but I'm sceptical that it will happen. If it does, how long are
we willing to wait?
Requiring a system copy is the best solution, if for no other reason,
then because nobody will have to read any more long emails about it.
--
You received this message because you are subscribed to the Google Groups
"sage-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to sage-devel+unsubscr...@googlegroups.com.
To post to this group, send email to sage-devel@googlegroups.com.
Visit this group at https://groups.google.com/group/sage-devel.
For more options, visit https://groups.google.com/d/optout.
