tech-security: Re: OpenSSL import

Subject: Re: OpenSSL import
To: None <tech-security@netbsd.org, netbsd-intl@sandelman.ottawa.on.ca>
From: Michael C. Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-security
Date: 06/29/1999 18:22:51
-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Jason" == Jason Thorpe <thorpej@nas.nasa.gov> writes:

    Jason> On 29 Jun 1999 15:37:36 -0400 "Perry E. Metzger"
    Jason> <perry@piermont.com> wrote:

    >> > HE ALREADY IMPORTED IT!
    >> 
    >> They are just files. They can be removed.

    Jason> The point is it should not have been imported in the first place
    Jason> while serious license issues were being discussed.

  My proposal was not explicitely in two pieces. It should have been:
	1) I proposed to import some code. I was mostly interested in
	whether the vendor/branch tags were legit.

	2) the second part concerned future work: what would be compiled
	and how. This is an ongoing thing.

  I proposed importing OpenSSL some time ago. In fact, it has been in
my netbsd-intl proposal since the first time it was written.

  I perceived that the the vendor/branch tags question was resolved.

  I do not perceive that the license issue is a closed ended debate. I
think that we can have it for literally months. I do not think that this
is a good use of our time.

  What I propose is that we put together a framework for dealing with the
issue. Not all of the patents are valid in all of the countries that we 
have users in, and some of the patents will expire in the time scale of 
a release or two of NetBSD.

  In particular, many of the things that are patented in the USA are not
outside of the USA, and it is specifically the people outside of the USA
that currently are most desirous of having cryptosrc-intl. 

  As such, we should, by default, build everything that is legal everywhere,
and provide a simple way to build/install the other pieces because:
	1) the pieces are available free of license in some jurisdictions
	2) some pieces are available for non-commercial use everywhere, and
	this suits some people
	3) the patents on a number of things will eventually run out

  If you wish to argue that the inability of a particular piece of code to
be used without license in the USA prevents it from being stored in on a
machine in Finland, then you are arguing that cryptosrc-intl can not be
created in Finland by non-Americans because American law applies to
non-Americans.

  If so, then cryptosrc-intl is *IN OF ITSELF* contrary to the project's goals.

   :!mcr!:            |  Cow#1: Are you worried about getting Mad Cow Disease?
   Michael Richardson |  Cow#2: No. I'm a duck.
 Home: mcr@sandelman.ottawa.on.ca. PGP key available.




-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQDVAwUBN3lG8XMJp3VWzPepAQEw3wX8DDbBJgTMep8ZahHTrQQ46rwCgaPuVoj+
NTmZaGC/JbeMknvpydMFtnehkk41oNgLF+7NVMN2AE2lAQD9UVwuIJV2C1jSN6hs
RM1PkNH6OSETByhmIKL5Po84pXYktZl+eJexZAuOCjHmgFWMjVc0Z78E8u7F1SPH
yKKAPuRaFQLGRsohgrBsgJI7keU0C5IAxdWpFyy9EZ3gR9xjO3Q16JXLJsaZpJT8
ZkDQzLnMm7BXRRV1ubgAJUB/BoJ6QRGi
=YT+d
-----END PGP SIGNATURE-----