apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tollef Fog Heen <tfh...@err.no>
Subject Re: MD4/MD5 implementation is non-free
Date Mon, 16 Oct 2006 21:48:05 GMT
* Colm MacCarthaigh 

| I hate these damn things, alerting us to these stupid nits only causes
| any theoritical infringement to become willful and over time worsens our
| code-base. Anyway, our time would probably be better spent just asking
| RSA for a slightly modified license.

I'm no happier for this than you are and I can't see it being a
realistic threat.  However, we're technically in the grey area and I'd
rather have us be totally clear.  I'd also like to not carry some
silly patch and have to rip out the RSA MD4/MD5 code of every future
tarball released by the APR project because you and Debian disagree
about what's safe and what's not, licence-wise.

However, note that there is a public-domain MD4 and MD5 implementation
(written by Solar Designer) which I've adapted to work in APR and put
in the Debian APR packages and which works well there.  So this isn't
some big effort which you suddenly have to take on; a patch is already

I have heard some rumours that you are not too happy about code being
in the public domain, so I have taken the liberty of talking with
Solar Designer over this:

  > I was wondering if it would be possible to have your MD4 and MD5
  > implementations ASL or BSD licenced in addition to being in the
  > public domain.

  I'm afraid not.  In my understanding, when I place something in the
  public domain, I disclaim any copyright interest in it - so I no
  longer have a right to place it under a license.  Well, technically
  I may try to do so, but my understanding is that such a license
  would be void (at least in jurisdictions that do recognize public
  domain) and/or this fact could be used to dispute the public domain
  status of the software.

And in a later mail:

  Thinking of it some more, I realize that if my placing in the public
  domain has "worked", then anyone including me can also release this
  same software (or a derivative of it) under a license.  Someone
  might interpret my doing so as me claiming copyright on the original
  work instead of placing it in the public domain.  Someone else might
  interpret it as me claiming copyright on a derivative of the public
  domain work.

I'm not sure I agree with his reasoning, but I would be grateful for
any help you could give me finding a reasonable course of action so we
can get this cleaned up.  Also, if somebody could point me to a
reasoning for the waryness of using PD code which I could send to
Solar Designer, that would be useful.

His licence statement reads:

 * This is an OpenSSL-compatible implementation of the RSA Data Security,
 * Inc. MD5 Message-Digest Algorithm.
 * Written by Solar Designer <solar@openwall.com> in 2001, and placed in
 * the public domain.  There's absolutely no warranty.

If we want it explicit that public domain means «you can distribute,
modify and distribute modified versions freely, for any purpose», I
think I can get that added.  (It seems like that was an issue when
Jakarta Commons Math wanted to incorporate code from the JAMA matrix
package almost two years ago.)

Tollef Fog Heen                                                        ,''`.
UNIX is user friendly, it's just picky about who its friends are      : :' :
                                                                      `. `' 

View raw message