On Sat, Mar 25, 2017 at 12:51:52AM +0100, Ævar Arnfjörð Bjarmason wrote: > They're changing their license[1] to Apache 2 which unlike the current > fuzzy compatibility with the current license[2] is explicitly > incompatible with GPLv2[3]. > > We use OpenSSL for SHA1 by default unless NO_OPENSSL=YesPlease. > > This still hasn't happened, but given the lifetime of git versions > packaged up by distros knowing sooner than later if this is going to > be a practical problem would be good. > > If so perhaps we could copy the relevant subset of the code int our > tree, or libressl's, or improve block-sha1.
I think that most distros don't link against OpenSSL because they can't take advantage of the system library exception. I don't think that's going to change. If we want to consider performance-related concerns, I think the easier solution is using Nettle, which is LGPL 2.1. Considering that the current opinions for a new hash function are moving in the direction of SHA-3, which Nettle has, but OpenSSL does not, I think that might be a better decision overall. It was certainly the implementation I would use if I were to implement it. -- brian m. carlson / brian with sandals: Houston, Texas, US +1 832 623 2791 | https://www.crustytoothpaste.net/~bmc | My opinion only OpenPGP: https://keybase.io/bk2204
signature.asc
Description: PGP signature
