Yuck. I think the appropriate thing to do is take down all binary versions which include OpenSSL. We can still distribute it with source, right? This is very sad.
On Sun, 27 May 2007, William Stein wrote: > > Hi, > > It recently came to my attention (when an undergrad -- Michael Schmitz -- > was talking with me about his project on openssl in my number > theory class) that OpenSSL's license is totally GPL incompatible. > This was his guess as to why firefox doesn't use openssl. > Why should you care? -- SAGE is a GPL'd program that > includes openssl and links in a bunch of other GPL'd programs, so > SAGE as distributed with openssl, currently violates the copyright of > those GPL'd > programs. SAGE *only* uses openssl to provide authentication for > DSAGE (distributed > SAGE) and -- in the future but not yet -- we plan to use it for authentication > for the notebook. Read more if you're interested. > > It is a copyright violation to link a GPL program with OpenSSL and > distribute together the linked program, as SAGE does. > In particular, by distributing OpenSSL with SAGE, we are violating the > copyright > of GPL'd programs included with SAGE. The OpenSSL license > is evidently OSI (www.opensource.org) approved, but that isn't enough. > There are several web page that I think consistently explain the copyright > situation with regard to openssl: > > * http://www.gnome.org/~markmc/openssl-and-the-gpl.html > * http://finkproject.org/doc/packaging/policy.php > * http://lists.debian.org/debian-legal/2002/10/msg00113.html > > Conclusion: I screwed up by not checking the license of openssl much more > carefully before including it in SAGE, and I will unfortunately have to remove > openssl from SAGE. (This is quite annoying -- I similarly screwed up once > by including gnuplot for several weeks, and once again by including Singular > before omalloc became GPL'd. Maybe we need to hire more lawyers. :-) ) > > Back to openssl. Fortunately, the Debian and Fink projects both took > a "hard line" position against OpenSSL some time ago, so (?) > there are alternatives. It looks like GNU TLS is probably the best: > http://www.gnu.org/software/gnutls/ > Fortunately it appears that Twisted can use GNU TLS: > http://cheeseshop.python.org/pypi/python-gnutls/ > > I think the *only* part of SAGE that use OpenSSL right now is DSAGE's > authenticiation > system, which is built on Twisted. Anyway, comments are welcome before I > simply remove openssl and pyopenssl from SAGE before the next release, come > what may. > > -- William > > -- > William Stein > Associate Professor of Mathematics > University of Washington > http://www.williamstein.org > > > > --~--~---------~--~----~------------~-------~--~----~ To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/sage-devel URLs: http://sage.scipy.org/sage/ and http://modular.math.washington.edu/sage/ -~----------~----~----~----~------~----~------~--~---
