On May 17, 2012, at 8:34 AM, Josh Thompson wrote:

> Hash: SHA1
> On Wednesday, May 16, 2012 10:37:02 AM Kevan Miller wrote:
>> On May 11, 2012, at 3:17 PM, Josh Thompson wrote:
>>> Kevan,
>>> Ugh.  Thanks for looking at this.  I guess it goes to show you can't just
>>> trust that another project that says it is MIT licensed is *completely*
>>> MIT
>>> licensed.  :(  I'll figure out a way to deal with it.  If it works out
>>> that
>>> bcpowmod.php and str_split.php are not actually needed, can I just remove
>>> them?  If so, do I need to document that modification somewhere?
>> BTW, vcl/trunk/web/.ht-inc/phpseclib/index.html refers to PHP Secure
>> Communications Library as LGPL-licensed. Which is contradicted by
>> http://phpseclib.sourceforge.net/
>> It looks like our documentation comes from
>> http://phpseclib.sourceforge.net/documentation/ -- I'd check with the
>> phpseclib project. Seems to be their reference to LGPL is unintended or
>> inconsistent. bcpowmod.php's LGPL license would seem to be a problem with
>> this, however…
>> --kevan
> After looking further, there are only two files (AES.php and Rijndael.php)
> needed from the phpseclib project, and both of them appear as though they were
> written to be able to be included by themselves (i.e. each one contains
> information about the author, the project, and the license).  Both files state
> that they are MIT licensed and contain that license in them.  Is it normal to
> just pull in specific files from another project, or is it better to include
> the whole project?

First, I should say that all my comments are from a purely procedural nature… 
I'm not making any comments on the function.

It's more "normall" to pull in whole projects. Certainly true when you're pull 
in as dependencies. Advantage is that as fixes are made to original library, 
you pull in as a dependency (and don't have to migrate any source fixes). More 

That doesn't mean that whole projects is "better". Both can be equally correct. 
In this case, only pulling in the two files would seem perfectly fine to me.

Can I please ask that the LGPL files be removed from SVN immediately? Please 
treat this as a -1 on the original svn commit as the commit contains LGPL 
licensed code. Removing the offending files from svn will address my veto.

As a (final?) piece of mentor education, see:


> My only other experience in including another open source project in one I
> work on is from including the Dojo Toolkit with VCL.  In that case, it seemed
> to make the most sense to include the whole thing.

Right. So, both techniques are used. Which is most appropriate, depends on the 

> License wise, it seems simplest to just include the two files in the release,
> but I just want to make sure we do the right thing in respecting other open
> source projects.

In general copying code is less desirable than including released software from 
another project. A description of this practice (with negative connotations) 
would be "forking" (though forking usually refers to an entire project). In 
general, we'd prefer to collaborate with other projects, rather than copy their 

However, open source gives us the flexibility to choose. And we should feel 
free to choose what best fits the needs of the project -- taking all factors 
into account...

In this case, we should definitely raise the licensing questions that have been 
raised with the phpseclib project (no matter how we resolve the issue). And, by 
the way, perhaps there was a mistake made and those files aren't LGPL -- we may 
learn something...


Reply via email to