Dear Thierry, Le mercredi 18 octobre 2017 18:23:53 UTC+2, Thierry (sage-googlesucks@xxx) a écrit : > > Hi, > > the dichotomy of the vote is not clear to me. > > I am -1 to make openssl a stantard package (hence shipped with the source > tarball), not only regarding licensing issues but also for security > reasons: our "package manager" is such that packages can not be updated > unless Sage itself is updated (because the package version is hardcoded). > Hence, when a security issue is found and fixed in openssl, the user who > installed it from Sage won't get it until the user upgrades Sage (while > every decent distro will provide a hotfix). >
That's a good and important point that I (among others) had overlooked. It could even preclude any "licensing issues" argument... To be discussed post-vote, with other "implementation" issues ? > However, i am +1 that we should do our best to let the user have an > openssl-enabled version of Sage (for pip, R, some cryptographic hash,...), > an acceptable workflow could be: > > - check if libssl-dev (or similar) is installed on the OS > - yes: > - use it > - no: > - strongly complain about it, provide documentation on how to do it > (possibly provide a doc that depends on the system), > - propose 3 options: > - "i will install openssl from the distro, and come back later > (recommended)" > This one is acceptable, and does not raise any pseudo-legalistic question. > - "i want Sage to install openssl optional package, i know that > there will be security issues" > We should first upgrade our optional package top post-1.1.0 : the build system has changed *incompatibly !* Furthermore, your (important) remark about our unability to "rush" security-related upgrades also apply here... > - "i do not want openssl support, i know that i will not be able > to install any R or Python package from the web" > Yikes ! Aaaarghhh ! And all that sort of things... This option commits us to maintain (unnecessary and dangerous, IMHO) Sage-specifc SSL patches at least in R, Python and pip, and this until the Last Judgement. Or OpenSSL relicensing (whichever comes first). Do we have such an excess of workforce that we can allow to waste on this ? Do we want to accept the responsibility of shipping a (voluntarily) crippled tool ? If the last point (compiling Sage without openssl support) requires a lot > of work, i am OK to remove it (i am not sure if this is the point of the > vote). > I'd remove it in a cinch... Note that that there is no chicken-and-eggs issue since the way our > "package manager" works allows to install an optional package without > having to rely on openssl (no https), we only rely on the computation of > sha1 which python-hashlib offers even if it is build without openssl > support. > Indeed, but that's a point we should fix. But that needs to be sure to have an https-enabled download tool ;-)... By the way, Sage is not GPL-3+ but GPL-2+. > > <troll> > > Mac fans claim that paying a computer 1.5 the price of a random PC with > similar charateristics if justified by the fact that OSX is soooo > user-friendly, perhaps didn't they find the openssl one-click installer > right in the middle of the screen yet. > > Proposal: require Apple a grant, corresponding to the huge amount of time > Sage developpers waste in porting Sage components (not only openssl, just > have a look at trac, sage-devel and ask timelines) on their broken and > constantly changing OS. Seconded ! Now, *that's* a get-rich-fast scheme... > This is not our job to help Apple pretend their > system is user-friendly, we are losing a lot of energy which could be > spent in much more interesting parts of Sage (e.g. mathematics). > > </troll> > Ciao, > Thierry > -- Emmanuel Charpentier -- You received this message because you are subscribed to the Google Groups "sage-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to sage-devel+unsubscr...@googlegroups.com. To post to this group, send email to sage-devel@googlegroups.com. Visit this group at https://groups.google.com/group/sage-devel. For more options, visit https://groups.google.com/d/optout.
