On Sun, Oct 15, 2017 at 11:40 AM Emmanuel Charpentier < emanuel.charpent...@gmail.com> wrote:
> Inspired by an ask.sagemath > <https://ask.sagemath.org/question/38692/use-ttest-from-r-in-sage/> > question, Trac#23980 <https://trac.sagemath.org/ticket/23980> adds a > couple usage hints to the r<tab> help text. This very minor patch is > unproblematic. > > Trac#24026 <https://trac.sagemath.org/ticket/24026>, on the other hand, > upgrades R to the last current version. As usual, special attention is > needed on our problem children of platforms (namely Mac OS X and Erik's > Cygwin-64 port). > > All our current patches have been rebased against the current version ; no > new patch is needed on Debian. However, I still have doubts about our > decision to lift upstream's requirement of an https-enabled version of > the SSL libraries (meaning OpenSSL, nowadays...). Does the ongoing > OpenSSL's change of license change this situation (and our decision) ? > Some history: - Around 8 or so years ago I included OpenSSL in Sage -- we shipped with it for a few weeks. - A student in one my classes pointed out the license problem, and then I spent an epic and miserable amount of time switching to the GNU alternatives to OpenSSL, which we shipped with Sage. - Time passed... - The OpenSSL project realized their license sucks this year. - I think OpenSSL has still NOT yet relicensed, although they are trying hard to do so. - OpenSSL might fail to relicense; e.g., the ZeroMQ project has been trying to switch from LGPL to MPLv2 for year(s) now, and can't seem to do so. This ZeroMQ license is a major problem for use of Jupyter by certain companies that don't want to use LGPL code internally. - OpenSSL might succeed at relicensing, e.g., NetworkX was GPL licensed, and really wanted to be BSD licensed -- they made a post saying something kind of like "we are going to relicense in a week or two; if you're an author and have a problem with this, let us know ASAP." And they relicensed. Done. - GPL has a "you can link against GPL-incompatible system libraries" exemption (otherwise GPL software couldn't run on Windows, say), and sometimes I hope this would apply to components of Sage linking against OpenSSL, as long that OpenSSL isn't included in Sage. My gut feeling on this: - We should either require OpenSSL be installed systemwide or just ship OpenSSL with Sage. Security is way, way too important to expose our users to potentially major security problems just because we're overly worried about license issues. Moreover, I think there is no way the OpenSSL copyright owners are going to sue us for violating their funny license by including it in a GPLv3+ program, especially after announcing an intention to switch to MPLv2, and getting most OpenSSL devs to sign off on that. ** By not just fully supporting and requiring OpenSSL for everything in Sage, we are exposing all Sage users to an increased chance of installing malicious software from repos. Let's not do that. ** In retrospect, I wish I had never removed OpenSSL from Sage. -- William > > On Debian testing, both patches pass ptestlong with no failures > whatsoever. R sort-of passes its own test suite (i. e. I get a couple of > expected, announced failures, analogous to what we get with Python's test > suite). > > -- > Emmanuel Charpentier > > -- > You received this message because you are subscribed to the Google Groups > "sage-devel" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to sage-devel+unsubscr...@googlegroups.com. > To post to this group, send email to sage-devel@googlegroups.com. > Visit this group at https://groups.google.com/group/sage-devel. > For more options, visit https://groups.google.com/d/optout. > -- -- William Stein -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
