Subject: Re: quickly find what applications are affected by RSA
To: None <>
From: None <>
List: current-users
Date: 09/08/2000 16:14:15
	Thanks for the description.  it is really helpful.

>> 	netbsd have been shipping openssl pkgsrc, which include RSA.  why
>> 	netbsd pkgsrc is not considered a contributory patent infringement and
>> 	openbsd (RSA-only) binary package is?
>As I said above, I'm not a lawyer and I'm certainly not a judge.  I didn't
>have anything to do with importing OpenSSL into NetBSD's pkgsrc so I can't
>say anything about the reasoning of the people who did so.  However, it is
>quite noteworthy that NetBSD's pkgsrc is not a distribution of usable 
>software; it is a system for automatically patching other people's software
>to work on NetBSD.  We do *not* build nor do we supply binary packages of
>OpenSSL; the OpenSSL in our source tree had every vestige of RSA removed
>after I raised the exact issue described above.  The fact that someone's
>made OpenSSL work on NetBSD, and that we recorded what he did and ship
>that set of instructions, is *very* different from my point of view than
>shipping a "modular cryptosystem" where the only module is RSA and you
>make no effort to keep people in the U.S. from using it -- in fact, you
>basically encourage them to do so, with a big wink and nudge.

	(mainly about the last four lines)
	To clarify: I've attached portion of OpenBSD 2.7 afterboot(8).
	It looks clear about who is okay to use the binary package,
	and who is not.  It is still the user's choice whether or not to
	install RSAREF code (for non-commercial use in the US), non-RSAREF
	code (for outside of the US), or leave it alone (for other cases).

	install floppy introduces you the three options, with description,
	and lets pick one of the three routes.

	I still don't know if it constitutes a contributory patent infringement,
	or not.  I don't know if the above listed URLs are considered a "big
	wink" or "fair amount of warning".

>We don't maintain the software that's in pkgsrc, we don't hold copyright, 
>and we don't even distribute the source code -- the user has to fetch it
>and build it himself.  There's stuff "in pkgsrc"  with all kinds of
>intellectual property restrictions on it that make it inappropriate for
>inclusion in NetBSD proper, but you've got to remember that when we say 
>"in pkgsrc" what we really mean is "pkgsrc has some patches that will
>make it easier for you to build and install this", not "pkgsrc has the
>source code to this in it, we maintain and distribute it, let us know
>if you have any trouble".
>That's a pretty substantial distinction from my point of view.  Where
>it falls with regard to the law is a judgement call that I'm not
>comfortable making -- and no, I didn't ever ask a lawyer about it,
>because this is the first time it's really been brought to my 
>attention -- and considering that RSA prematurely stopped the clock
>ticking on their patent, I guess it doesn't matter any more.

	I see, I think I got your point and the distinction you made.

itojun@not a lawyer

--- openbsd afterboot(8)
   Inside the USA, non-commercial use of RSAREF is permitted

   Inside the USA, non-commercial use of RSAREF is permitted
     Non-commercial entities in the USA may install the sslUSA27.tgz package,
     which uses RSAREF.  You install this with a pkg_add(8) command similar


     replacing ``<a>'' with your machine architechture, e.g., ``i386'' for In-
     tel-based machines.

   Commercial entities in the USA are left in the cold.
     While unfortunate, this is due to the way RSA Inc. licences their patent
     in the USA. (This is how the USA crypto export policy feels to the rest
     of the world).