Subject: Re: openssl w/o rc5 & idea, was Re: openssl like in NetBSD
To: None <itojun@iijlab.net>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-pkg
Date: 09/26/2001 13:50:48
On Thu, 27 Sep 2001 itojun@iijlab.net wrote:
> I've put a dummy function (which printf and abort) in place of idea/rc5
> functions, into libcrypto. if you link libcrypto_{idea,rc5} earlier
> than libcrypto, you can override these dummy function with the real one.
> in this way we won't change any ABI of libcrypto. if some thirdparty
> application tries to use idea/rc5 function without libcrypto_{idea,rc5}
> they terminates by themselves.
>
> i don't think it is workable for package.
Why not?
> >I'd like to make it so that the default openssl package has no LICENSE
> >clause.
>
> i would say you shouldn't bother. you will make other packages (that
> depend on openssl) harder to get right. also, i'm not sure if RC5
> and IDEA are the only tainted algorithms. there could be others
> (like RC4 - oops, ARCFOUR).
Well, I'd like to use netbsd's pkgsrc to make packages in a commercial
product. Some of the packages I'm interested in use openssl, so I'd like
to have the commercially-usable version. I also want to minimize drift
between my pkgsrc and NetBSD's. When I suggested making an
openssl-commercial, I was told instead to just rip out idea & rc5 instead.
Also, I'm basing my decision to limit things to no-idea and no-rc5 on
comments from the openssl web site. So while I'm not using a review from
an in-house lawyer, I am going with what a lot of other folks are doing.
:-)
Take care,
Bill