tech-security: Re: openssl license change

Subject: Re: openssl license change
To: None <itojun@iijlab.net>
From: Robert Elz <kre@munnari.OZ.AU>
List: tech-security
Date: 09/24/2002 19:53:48
    Date:        Tue, 24 Sep 2002 21:17:07 +0900
    From:        itojun@iijlab.net
    Message-ID:  <20020924121707.3158F4B23@coconut.itojun.org>

  | 	so our current situation is like this:
  | 	- idea/rc5 source code is in the tree, under src/crypto/dist/openssl.
  | 	- they are not compiled by default (so that binary tarballs does not
  | 	  contain these binaries)

That would probably be a good idea here too.  Avoid people who might be
affected from accidentally having this stuff all thrust upon them.

  | 	i'm not totally sure if it is a safe approachh - if we want to be
  | 	totally safe, we should remove idea/rc5 from the tree entirely.

If it is just because of patents, there is no need.   Lines of text
can't infringe on a patent (well, unless it relates to the font, or
typography, or something anyway...), only a working implementation,
and to work, it has to be compiled.   That's what patents protect,
the use by one person of someone else's invention.   But the "use"
part of that is crucial (but don't interpret it too narrowly either).

  | 	on the contrary, Sun code is everywhere in openssl tree (including
  | 	bignum code!) as my first message have shown, so we can't do the
  | 	similar thing.

That doesn't matter.   The only bit that counts is the part that implements
their patented algorithm.   Big number code can't possibly be that (though
it may be used by their algorithm).

Recall, what's on those files (however much openbsd people misinterpret it)
isn't "you can use this code if you agree not to sue us".   There's nothing
even remotely like that.

What's there is "this code is governed by the openssl licence" (which I am
assuming has been, and remains, OK for NetBSD).  And, additionally, we
won't sue you if you infringe our patent using this code, if you agree not
to sue us for infringing your patent.

Whether the final "your patent" there would only apply to other patents in
the eliptical curve area, or whether it applies to any other patent of
any kind, or something between those two extremes, I'm not qualified to
say.   It is a 'reciprocal covenant' that is asked, and that implies something
approximately equal, I'd have thought, so the "any patent" case is probably
not going to be the one that would (if it ever came to a battle) be applied.

I'd suspect that the best thing for anyone who might be affected by
that difference should do, is enter into an explicit agreement with Sun,
or not use the code at all (that is, ignore the covenant).   For those who
have no patents at all, the covenant they give will be just fine, and
cause no problems at all.

kre