Re: [Fwd: [ANNOUNCE] NSS 3.1 Beta 1 Release]
"William H. Geiger III" wrote: > >What they _should_ do is use OpenSSL and work on that, instead of > >reinventing the wheel. > > IIRC the OpenSSL project was not accepting code from US sources. Has this policy >changed? Hmmm. Weeding out cruft from my mailbox and I found this. Looks like I didn't answer. Yes, this policy has changed - OpenSSL now accepts US contributions so long as they have obeyed the export laws. BTW, I still think the best way to obey them is to subscribe the BXA to every CVS mailing list in the world :-) Cheers, Ben. -- http://www.apache-ssl.org/ben.html "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." Robert Woodruff
Re: [Fwd: [ANNOUNCE] NSS 3.1 Beta 1 Release]
-BEGIN PGP SIGNED MESSAGE- Now, I didn't start this thread to argue about licenses. I just wanted folks to review code, should they be so inclined. So, this is my last comment. Sorry that someone took umbrage. Ben Laurie wrote: > > William Allen Simpson wrote: > > I was not aware that OpenSSL had changed to be compatible with GPL. > > And I cannot find the license statement on the web pages. > > The licence has not changed. > I've found the license in the source. It's not compatible with GPL -- indeed, it is antithetical to GPL, specifically mentioning GPL by name! > I don't see any concerns here, just a history lesson. > Hmmm, since I know you read the thread at the time, I can only conclude that you are being disingenuous. It not only has the old BSD 4 clause license, it has additional clauses > And this, as far as I can work out, is really just saying "it isn't the > licence we want". There is no requirement in GPL for the OpenSSL licence > (or any other) to not have an advertising requirement, again, as far as > I can work out - where does it say that? > IANAL, but my memory of the argument (without bothering to look it up) is that GPL doesn't allow additional requirements to be imposed, and monolithic works apply GPL to the entire work. Your license is incompatible (and deliberately so). It makes your code useless to the rest of the project. So, it isn't the license they want! > The current beta has MacOS support. > Hmmm, have you personally verified this statement? AFAIK, by the documentation, it won't even run the test apps. It's a start, but it's not ready. -BEGIN PGP SIGNATURE- Version: PGP 6.5.1 iQCVAwUBOcfvCdm/qMj6R+sxAQH6+QP9H2kvgl88IxIzV3tA61icv0kU7KoNTvYK +Fd14tt+UoN35HRwaoNvXeYbwsq8gyCtVl3vQYYponsEt+Ij7sdpxwx5zJDS64gp LRLSLWAnu9N8buZRdFLd0C0uqXEosZRVNN0ZUFpLKCuwrAG8jwi5L+0NVZZM56N7 Cu5dYGuWPjg= =5/uU -END PGP SIGNATURE-
Re: [Fwd: [ANNOUNCE] NSS 3.1 Beta 1 Release]
> the OpenSSL project was not accepting code from US sources. Has this policy changed? Yes. The various members of the openssl-core team either agree that the current regulations remove their concern; or feel that even though there are issues it's not worth dealing with now US contributions can be submitted. They just have to be good enough to be accepted. :) Multiple interoperable implementations are usually a good thing. But when the talent pool is so small, and the (perceived? :) importance of the product is so great, I agree that the open source community is best served by rallying around a single implementation. Simpson's original note, asking for reviewers of the NSS code, can be seen as a proof point of this. There are plenty of closed-source SSL/TLS/etc implementations for interop testing. Flogging one of my own personal horses, the integration of CDSA and OpenSSL (being started by Intel) will be a very good thing. /r$
Re: [Fwd: [ANNOUNCE] NSS 3.1 Beta 1 Release]
In <[EMAIL PROTECTED]>, on 09/18/00 at 02:09 PM, Ben Laurie <[EMAIL PROTECTED]> said: >William Allen Simpson wrote: >> >> Fallout from the early RSA release into public domain, the references >> to BSAFE have been replaced, and a bunch of stuff are GPL. Is there >> a team of folks doing independent code review? >> >> Since this is likely to show up on a lot of systems, and any bugs >> will plague us for a long time, this seems to me to be a time for >> serious cooperation. >What they _should_ do is use OpenSSL and work on that, instead of >reinventing the wheel. IIRC the OpenSSL project was not accepting code from US sources. Has this policy changed? -- --- William H. Geiger III http://www.openpgp.net Geiger Consulting Data Security & Cryptology Consulting Programming, Networking, Analysis PGP for OS/2: http://www.openpgp.net/pgp.html E-Secure: http://www.openpgp.net/esecure.html ---
Re: [Fwd: [ANNOUNCE] NSS 3.1 Beta 1 Release]
William Allen Simpson wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Ben Laurie wrote: > > > > As far as I can tell, the problems are invented rather than real. At > > least I can't recall any real problems except "it isn't the licence we > > want it to be". > > > I was not aware that OpenSSL had changed to be compatible with GPL. > And I cannot find the license statement on the web pages. The licence has not changed. > Specific concerns from email were: > > From: [EMAIL PROTECTED] (Tim Hudson) > > BTW the SSLeay license was not derived from the Apache license, but > actually from the original BSD licensing terms with some changes added to > prevent problems that had occured with previously released software being > adopted into other licensing schemes and other people claiming authorship > of software they did not write. > > I wrote the SSLeay license to go with the first public release > of the SSLeay code so I think that my understanding of the origin of > the license can probably be accepted as accurate :-) I don't see any concerns here, just a history lesson. > From: Frank Hecker <[EMAIL PROTECTED]> > > I think getting rid of the advertising requirement in the OpenSSL > license needs to be done anyway, to eliminate potential problems with > using OpenSSL code in other projects where the GPL is used. However note > that making the change is not as simple as it sounds, because in order > to change the OpenSSL license you'll have to get permission from all the > OpenSSL contributors. And this, as far as I can work out, is really just saying "it isn't the licence we want". There is no requirement in GPL for the OpenSSL licence (or any other) to not have an advertising requirement, again, as far as I can work out - where does it say that? > > Gasp! What do you mean? Can you name a platform it doesn't run on? > > > For example, I'm writing this on MacOS. Although there was a single > reference to MacOS buried on the web pages, it doesn't appear to be > ready for prime time. The current beta has MacOS support. > > Of free software? That's silly. > > > > To clarify: there may be a reason to have other implementations to > > _test_ the "real" one, but there's no point in duplicating the massive > > amount of work that has gone into optimising and porting OpenSSL. > > > I firmly disagree. > > For example, the first several implementations of IPSec and Photuris > were "free", made in different countries and under different licenses. > This continues to be very important to this day. > > It often takes a considerable length of time for minor problems to > surface -- note the recent discovery of buffer overflow issues in > RSAref 5 years after it had been widely used. Heterogeneity is > of the utmost importance in maintaining a passibly secure > infrastructure during a time of repair. Here you may have a point, though given complete lack of compatibility at the API level, I'm not sure how this point can apply to OpenSSL and NSS. Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/
Re: [Fwd: [ANNOUNCE] NSS 3.1 Beta 1 Release]
-BEGIN PGP SIGNED MESSAGE- Ben Laurie wrote: > > As far as I can tell, the problems are invented rather than real. At > least I can't recall any real problems except "it isn't the licence we > want it to be". > I was not aware that OpenSSL had changed to be compatible with GPL. And I cannot find the license statement on the web pages. Specific concerns from email were: From: [EMAIL PROTECTED] (Tim Hudson) BTW the SSLeay license was not derived from the Apache license, but actually from the original BSD licensing terms with some changes added to prevent problems that had occured with previously released software being adopted into other licensing schemes and other people claiming authorship of software they did not write. I wrote the SSLeay license to go with the first public release of the SSLeay code so I think that my understanding of the origin of the license can probably be accepted as accurate :-) From: Frank Hecker <[EMAIL PROTECTED]> I think getting rid of the advertising requirement in the OpenSSL license needs to be done anyway, to eliminate potential problems with using OpenSSL code in other projects where the GPL is used. However note that making the change is not as simple as it sounds, because in order to change the OpenSSL license you'll have to get permission from all the OpenSSL contributors. > Gasp! What do you mean? Can you name a platform it doesn't run on? > For example, I'm writing this on MacOS. Although there was a single reference to MacOS buried on the web pages, it doesn't appear to be ready for prime time. > Of free software? That's silly. > > To clarify: there may be a reason to have other implementations to > _test_ the "real" one, but there's no point in duplicating the massive > amount of work that has gone into optimising and porting OpenSSL. > I firmly disagree. For example, the first several implementations of IPSec and Photuris were "free", made in different countries and under different licenses. This continues to be very important to this day. It often takes a considerable length of time for minor problems to surface -- note the recent discovery of buffer overflow issues in RSAref 5 years after it had been widely used. Heterogeneity is of the utmost importance in maintaining a passibly secure infrastructure during a time of repair. -BEGIN PGP SIGNATURE- Version: PGP 6.5.1 iQCVAwUBOcd9aNm/qMj6R+sxAQFMAgP9EiYcJwEND13rdKSl02abBepDPE2gngZ8 f1a99+fC+GBzqwXkCYmV++sKiDpeexFbkvwkiQTH62o0a7o7hsBtwn6oe+1qUgBy 5BZJNvL2a7YSWEbJKPo2GqNFXAtnmUSLPWqltl0mFNJZq4Cc3nlB2t9CtJQAmnvA 7WhItsYOqGY= =jRSl -END PGP SIGNATURE-
Re: [Fwd: [ANNOUNCE] NSS 3.1 Beta 1 Release]
Would you elaborate on the problems with the OpenSSL license? > I remember you expressing such sentiments on the mozilla security list some > months ago. But, there are problems with the OpenSSL license. And not > enough crossplatform support. And, I'm a big believer in multiple > independent implementations. > > Ben Laurie wrote: > > > What they _should_ do is use OpenSSL and work on that, instead of > > reinventing the wheel. Jeffrey Altman * Sr.Software Designer The Kermit Project * Columbia University 612 West 115th St * New York, NY * 10025 * USA http://www.kermit-project.org/ * [EMAIL PROTECTED]
Re: [Fwd: [ANNOUNCE] NSS 3.1 Beta 1 Release]
William Allen Simpson wrote: > > -BEGIN PGP SIGNED MESSAGE- > > I remember you expressing such sentiments on the mozilla security list some > months ago. But, there are problems with the OpenSSL license. As far as I can tell, the problems are invented rather than real. At least I can't recall any real problems except "it isn't the licence we want it to be". > And not > enough crossplatform support. Gasp! What do you mean? Can you name a platform it doesn't run on? > And, I'm a big believer in multiple > independent implementations. Of free software? That's silly. To clarify: there may be a reason to have other implementations to _test_ the "real" one, but there's no point in duplicating the massive amount of work that has gone into optimising and porting OpenSSL. Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/
Re: [Fwd: [ANNOUNCE] NSS 3.1 Beta 1 Release]
According to a previous post, previous versions of NSS (using BSAFE as engine) have been around for a few years on server products: it's not a brand new development. Anyway, a good feature in NSS still missing in OpenSSL is the PKCS#11 support for hardware tokens. Enzo - Original Message - From: "Ben Laurie" <[EMAIL PROTECTED]> To: "William Allen Simpson" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, September 19, 2000 4:09 Subject: Re: [Fwd: [ANNOUNCE] NSS 3.1 Beta 1 Release] > William Allen Simpson wrote: > > > > Fallout from the early RSA release into public domain, the references > > to BSAFE have been replaced, and a bunch of stuff are GPL. Is there > > a team of folks doing independent code review? > > > > Since this is likely to show up on a lot of systems, and any bugs > > will plague us for a long time, this seems to me to be a time for > > serious cooperation. > > What they _should_ do is use OpenSSL and work on that, instead of > reinventing the wheel. > > Cheers, > > Ben. > > -- > http://www.apache-ssl.org/ben.html > > Coming to ApacheCon Europe 2000? http://apachecon.com/
Re: [Fwd: [ANNOUNCE] NSS 3.1 Beta 1 Release]
-BEGIN PGP SIGNED MESSAGE- I remember you expressing such sentiments on the mozilla security list some months ago. But, there are problems with the OpenSSL license. And not enough crossplatform support. And, I'm a big believer in multiple independent implementations. Ben Laurie wrote: > What they _should_ do is use OpenSSL and work on that, instead of > reinventing the wheel. > -BEGIN PGP SIGNATURE- Version: PGP 6.5.1 iQCVAwUBOcbmXdm/qMj6R+sxAQFrYAP+LrW9/guoEdnf/Tpsxi3k2wHMtYVeYE0I 7KzBLo6CY1ikvjI7Gd8AiOYrQC5fUXHTv7VUsRspsAQuQOa4n2ZIbQna1T2pGC03 6VLYu8O4+NL2BITCYCSH6tXlBmsPPt6tUHk2gO/l+B0ibO4qjCui88oejEgQb8HB HyVxvL3qelI= =nqZI -END PGP SIGNATURE-
Re: [Fwd: [ANNOUNCE] NSS 3.1 Beta 1 Release]
William Allen Simpson wrote: > > Fallout from the early RSA release into public domain, the references > to BSAFE have been replaced, and a bunch of stuff are GPL. Is there > a team of folks doing independent code review? > > Since this is likely to show up on a lot of systems, and any bugs > will plague us for a long time, this seems to me to be a time for > serious cooperation. What they _should_ do is use OpenSSL and work on that, instead of reinventing the wheel. Cheers, Ben. -- http://www.apache-ssl.org/ben.html Coming to ApacheCon Europe 2000? http://apachecon.com/
