apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm MacCarthaigh <c...@stdlib.net>
Subject Re: MD4/MD5 implementation is non-free
Date Mon, 16 Oct 2006 22:30:31 GMT
On Mon, Oct 16, 2006 at 11:48:05PM +0200, Tollef Fog Heen wrote:
> * Colm MacCarthaigh 
> 
> | I hate these damn things, alerting us to these stupid nits only causes
> | any theoritical infringement to become willful and over time worsens our
> | code-base. Anyway, our time would probably be better spent just asking
> | RSA for a slightly modified license.
> 
> I'm no happier for this than you are and I can't see it being a
> realistic threat.  However, we're technically in the grey area and I'd
> rather have us be totally clear.  I'd also like to not carry some
> silly patch and have to rip out the RSA MD4/MD5 code of every future
> tarball released by the APR project because you and Debian disagree
> about what's safe and what's not, licence-wise.
> 
> However, note that there is a public-domain MD4 and MD5 implementation
> (written by Solar Designer) which I've adapted to work in APR and put
> in the Debian APR packages and which works well there.  So this isn't
> some big effort which you suddenly have to take on; a patch is already
> present.

This is 10-year old code, that's a long time for any potential bugs to
have been shaken out. It's also the reference implementation, which
basically makes it bug-free by definition in the first place.

The technical reasons for keeping that code are very compelling imo,
which is why I suggest just asking RSA.

> I have heard some rumours that you are not too happy about code being
> in the public domain, so I have taken the liberty of talking with
> Solar Designer over this:

The concept of a public domain does not generally exist outside of the
US. Generally instead a very liberal unilateral license is instead
preferred.

-- 
Colm MacCárthaigh                        Public Key: colm+pgp@stdlib.net

Mime
View raw message