-----BEGIN PGP SIGNED MESSAGE-----
Ben Laurie wrote:
>
> As far as I can tell, the problems are invented rather than real. At
> least I can't recall any real problems except "it isn't the licence we
> want it to be".
>
I was not aware that OpenSSL had changed to be compatible with GPL.
And I cannot find the license statement on the web pages.
Specific concerns from email were:
From: [EMAIL PROTECTED] (Tim Hudson)
BTW the SSLeay license was not derived from the Apache license, but
actually from the original BSD licensing terms with some changes added to
prevent problems that had occured with previously released software being
adopted into other licensing schemes and other people claiming authorship
of software they did not write.
I wrote the SSLeay license to go with the first public release
of the SSLeay code so I think that my understanding of the origin of
the license can probably be accepted as accurate :-)
From: Frank Hecker <[EMAIL PROTECTED]>
I think getting rid of the advertising requirement in the OpenSSL
license needs to be done anyway, to eliminate potential problems with
using OpenSSL code in other projects where the GPL is used. However note
that making the change is not as simple as it sounds, because in order
to change the OpenSSL license you'll have to get permission from all the
OpenSSL contributors.
> Gasp! What do you mean? Can you name a platform it doesn't run on?
>
For example, I'm writing this on MacOS. Although there was a single
reference to MacOS buried on the web pages, it doesn't appear to be
ready for prime time.
> Of free software? That's silly.
>
> To clarify: there may be a reason to have other implementations to
> _test_ the "real" one, but there's no point in duplicating the massive
> amount of work that has gone into optimising and porting OpenSSL.
>
I firmly disagree.
For example, the first several implementations of IPSec and Photuris
were "free", made in different countries and under different licenses.
This continues to be very important to this day.
It often takes a considerable length of time for minor problems to
surface -- note the recent discovery of buffer overflow issues in
RSAref 5 years after it had been widely used. Heterogeneity is
of the utmost importance in maintaining a passibly secure
infrastructure during a time of repair.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
iQCVAwUBOcd9aNm/qMj6R+sxAQFMAgP9EiYcJwEND13rdKSl02abBepDPE2gngZ8
f1a99+fC+GBzqwXkCYmV++sKiDpeexFbkvwkiQTH62o0a7o7hsBtwn6oe+1qUgBy
5BZJNvL2a7YSWEbJKPo2GqNFXAtnmUSLPWqltl0mFNJZq4Cc3nlB2t9CtJQAmnvA
7WhItsYOqGY=
=jRSl
-----END PGP SIGNATURE-----
