Am 09.01.2014 02:59, schrieb Mikhail T.:
> On 08.01.2014 20:05, Peter Wemm wrote:
>> The path of least resistance is to make a libmd2 port. It's the only way I
>> can see you getting to use it on 10.0.
> *I* don't really care. *I* don't use md2 myself. I became aware of the problem
> by accident -- because one of my ports was affected (tcl-trf). But I can fix
> port, no huhu.
> It just seems to me, FreeBSD as a project goofed by abruptly removing the
> functions, that have been in the base for many years. But if the
> don't care to "ungoof" it -- despite my raising awareness as much (and,
> even above) as permissible by politeness -- then so be it...
There have been license concerns raised about the MD2 algorithm, and
apparently it is FreeBSD policy to not burden our users with
known/surprising license restrictions. It would also appear that this
license policy would overrule compatibility with an old algorithm (MD2).
You have _not_ responded to these license concerns, but _only_ argued
with compatibility, and along the lines of user/maintainer convenience.
The MD2 functionality can be offered through a port, where it is much
easier to handle legal concerns. It may be inconvenient to a
maintainer, and you may be disappointed or frustrated about a lack of a
proper discontinual phase, but I see a port as the _only_ viable option.
Making a port use libmd2, or OpenSSL-from-ports-built-with-MD2 should
(1) satisfy compatibility and (2) base system licensing requirements,
all at the same time.
What is the reason why you don't find it acceptable to offer an option
to build your affected tcl-trf port against a ports OpenSSL?
Is there a technical concern beyond adding proper _DEPENDS lines?
Is there a social concern beyond the maintainer's one-time work?
Do we have a release note entry for MD2 removal? (I haven't checked.)
If not, can we add it before 10.0-RELEASE given there is a -RC5 now?
email@example.com mailing list
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"