Subject: Re: openssl w/o rc5 & idea, was Re: openssl like in NetBSD
To: None <>
From: Bill Studenmund <>
List: tech-pkg
Date: 09/26/2001 13:50:48
On Thu, 27 Sep 2001 wrote:

> 	I've put a dummy function (which printf and abort) in place of idea/rc5
> 	functions, into libcrypto.  if you link libcrypto_{idea,rc5} earlier
> 	than libcrypto, you can override these dummy function with the real one.
> 	in this way we won't change any ABI of libcrypto.  if some thirdparty
> 	application tries to use idea/rc5 function without libcrypto_{idea,rc5}
> 	they terminates by themselves.
> 	i don't think it is workable for package.

Why not?

> >I'd like to make it so that the default openssl package has no LICENSE
> >clause.
> 	i would say you shouldn't bother.  you will make other packages (that
> 	depend on openssl) harder to get right.  also, i'm not sure if RC5
> 	and IDEA are the only tainted algorithms.  there could be others
> 	(like RC4 - oops, ARCFOUR).

Well, I'd like to use netbsd's pkgsrc to make packages in a commercial
product. Some of the packages I'm interested in use openssl, so I'd like
to have the commercially-usable version. I also want to minimize drift
between my pkgsrc and NetBSD's. When I suggested making an
openssl-commercial, I was told instead to just rip out idea & rc5 instead.

Also, I'm basing my decision to limit things to no-idea and no-rc5 on
comments from the openssl web site. So while I'm not using a review from
an in-house lawyer, I am going with what a lot of other folks are doing.

Take care,