On Fri, Dec 14, 2001 at 04:16:02PM -0700, Eric W. Biederman wrote: > [EMAIL PROTECTED] writes: > > If you look closely at upx, you will see that the licensing is very > > confusing. > > Just skimming they have some interesting exceptions to allow use > with a non-gpl'd programs. The wording on that section is imperfect > as it seems to remove some of the GPL freedoms but that is the only > issue that I see.
Hrmm. I wasn't referring to that - the problem is the binary isn't GNU GPL at all - it is linked to a non-released library (NRV library). In my original email, I said the LZO package, but that was an error. > > The package claims to be using the GNU GPL; however, if one > > actually grabs the source and tries to compile it, it turns out the > > compression algorithms used are not freely distributed (LZO package). > > There are a set of GPL compression algorithms that may be used (UCL), but > > they do not compress nearly as well. > > Interesting. I compiled it a while ago, and I didn't see that. It > may be simply because I didn't mess with anything besides UCL. O.k. I > just looked a little closer and if you information was accurate it > seems quite dated. lzo is not even mentioned in recent upx readmes. > And the copy I have of when it was mentioned provides a url. I just re-grabbed all the tarballs from http://upx.sourceforge.net/. The upx source tarball (version 1.20) at this site contains the file README.SRC which has the following except: ==================================================================== The UPX Hacker's Guide ====================== Foreword -------- The precompiled UPX versions are linked against the NRV compression library instead of the UCL library. Using the same compression algorithms, NRV achieves a better compression ratio. NRV is not publicly available, though, and probably never will be. While you may be disappointed that you don't have access to the latest state-of-the-art compression technology this is actually a safe guard for all of us. The UPX source code release makes it very easy for any evil-minded person to do all sort of bad things. By not providing the very best compression ratio it is much more difficult to create fake or otherwise disguised UPX versions (or similar trojans), as any end user will notice when the compression has gotten worse with a new "version" or "product". Finally please be aware that you now have your hands on the source code of the most sophisticated executable packer ever. Let's join our forces to make it even better :-) Share and enjoy, Markus & Laszlo ==================================================================== Also, as a test, I used the linux upx to compress emacs and got the following results: orig: 3504664 upx binary: 1018420 upx+ucl source: 1096599 gzip (not self-uncompressing): 1082076 If I have missed something, please let me know. > At any rate. My point is, is that there are lighter weight > compression programs than gzip for static executables. And upx is a > good example on that score. In truth it would need to be slightly > modified before it could be used with linuxBIOS, so there are > certainly hurdles before we could adopt it. I agree with your analysis, and because of this, I went looking for upx to play around with myself. In the process I came across the above "mess". Given the above, I believe the authors of UPX have poorly handled their licensing decisions - and as a result, I believe they have done a disservice to the "community". Anyway, just wanted to make sure you were aware, -Kevin -- ------------------------------------------------------------------------ | Kevin O'Connor "BTW, IMHO we need a FAQ for | | [EMAIL PROTECTED] 'IMHO', 'FAQ', 'BTW', etc. !" | ------------------------------------------------------------------------
