Subject: Re: OpenSSL import
To: Michael C. Richardson <>
From: Thor Lancelot Simon <>
List: tech-security
Date: 06/28/1999 01:54:21
On Mon, Jun 28, 1999 at 12:14:35AM -0400, Michael C. Richardson wrote:
>   Unless I hear otherwise by 5pm Monday, I will do:
> cd openssl-0.9.3a
> cvs -d import -m'OpenSSL 0.9.3a import' \
> 	cryptosrc-intl/crypto-intl/dist/openssl  \
> 	OPENSSL			\
> 	openssl_0_9_3
>   {I seek advice on whether these branch tags are correct}
>   I am also soliciting advice on whether there should be tech-intl or
> tech-crypto list created, or if tech-security is sufficient.
>   There will be at least five libraries built from by reachover's
> from this:
> 	libdes.a
> 	libcrypto.a
> 	libasn1.a		
> 	librsa.a		(not built for "NO_RSA=true")
> 	libidea.a		(not built for "NO_IDEA=true")

Let's leave the RSA issue out of this.

Will you please explain where and how, exactly, it is legal to build and use
an implementation of IDEA without a license to a patent which we do not have,
and which it is not a valid assumption that the majority or even a 
significant minority of our users or developers have?

The impression that enforcement actions have not been widespread is not an
excuse to trample all over another party's intellectual property rights;
neither is an opposition, whether principled or simply held as a matter of
convenience, to the existence of those rights.

It is wildly inappropriate to include an unlicensed implementation of IDEA
in the NetBSD source tree, whether building it can be turned off or not,
and whether or not that build is turned on by default.

We expect others to respect our intellectual property rights -- it is
foolhardy at best and downright idiotic at worse to ignore those of others
because we find them inconvenient.