On Mon, Oct 16, 2017 at 11:07 AM Jeroen Demeyer <jdeme...@cage.ugent.be> wrote:
> On 2017-10-16 12:08, Emmanuel Charpentier wrote: > > |_| Yes, we should fully support OpenSSL now, and clarify the > > licensing issue. > > What does "clarifying" the licensing issue even mean? The fact that > OpenSSL is *in the process of* relicensing does not help us at the > moment. And you don't need a mailing list vote to change the Sage > license: you need approval from every author of every GPL package in Sage. To me, "clarify the license situations means": 1. At a mimum: make it crytstal clear in our LICENSE/README file and binaries download page that we are distribution OpenSSL (or at least something that depends on OpenSSL), and that -- depending on interpretations of the system license exception -- this may violate the GPL. I think making this situation *clear* is absolutely essential, rather than say just "sneaking" openssl into Sage. 2. Also: explain that the risk is minimal, since it is the intention of the OpenSSL authors to relicense, and several of us significant copyright holders (e.g., me) can at least make a clear statement that **WE** are not going to complain or sue anybody for combining Sage with OpenSSL. Until OpenSSL is properly relicensed there is a small but real risk of some problem arising from this copyright situation. That has to be balanced with the very real risk that shipping a crippled security stack directly results in users of Sage having their computers and personal information compromised. A legally safer approach would be to never include openssl in sage, but instead make a system-wide install of openssl a hard requirement for building or installing sage. We then still link to openssl. The build fails if it libopenssl-dev (or whatever) is not available. A binary install doesn't work (in some cases?) if it isn't available. Maybe this should be a third option for the vote? It seems like what Eric wanted... William > > -- > You received this message because you are subscribed to the Google Groups > "sage-devel" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to sage-devel+unsubscr...@googlegroups.com. > To post to this group, send email to sage-devel@googlegroups.com. > Visit this group at https://groups.google.com/group/sage-devel. > For more options, visit https://groups.google.com/d/optout. > -- -- William Stein -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.