apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Garrett Rooney" <roo...@electricjellyfish.net>
Subject Re: MD4/MD5 implementation is non-free
Date Sun, 14 Jan 2007 21:46:37 GMT
On 10/9/06, Tollef Fog Heen <tfheen@err.no> wrote:
>
> Hi,
>
> For those who don't know me, I'm one of the Debian Apache (and APR)
> maintainers.  Some time ago, we received a bug report (
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=340538 , but bugs.d.o
> is down right now, mirror at http://url.err.no/hxnxhq ) about the MD4
> and MD5 implementations in apr-util being non-free and possibly
> distributable.
>
> I took the liberty of replacing the MD4 and MD5 implementations in
> apr-util with the ones from dovecot (written originally by Solar
> Designer and put in the public domain).  They took a bit of adaption
> to not break the ABI or change the API.  The diff is attached and also
> available at http://err.no/patches/apr-util-md4-md5-licence-fix.diff
>
> As I have seen earlier that public domain in some cases if problematic
> due to not being recognised in all jurisdictions, I have sent Solar
> Designer a mail asking him to licence it under the ASL or a BSD
> licence as well as public domain.  I'll follow up as soon as I have
> his answer.

Ok, since it seems like the RSA code's legal status is ambiguous at
best, and nobody seems to object to Roy's suggestion of picking an
implementation and going with it instead of jumping through legal
hoops with RSA's lawyers, that seems like the best approach to me.
I'm currently planning on going with the Solar Designer implementation
(originally by Colin Plumb), because it covers both md4 and md5, while
all the other acceptably licensed implementations are md5 only, and we
need both.  Looking through your patch I did have a few questions
though:

There seem to be numerous places where the xlate functionality is
kinda weird.  You have commented out some variable declarations, and
while there are some calls to xlate remaining, it seems like there are
considerably less than there used to be.  Is this just unfinished?
Similarly there is a comment in apr_md5.c that indicates that the
xlate stuff isn't done, but I do see calls to xlate in there.  What's
the story on this?

Second, you added comments to the effect that you modified the code
for use in APR.  That's not usually how things are done in APR, credit
for contributors goes in the CHANGES file, not in the code itself.
I'm also curious how large the modifications were, if it's
substantial, we'll want to get a CLA on file for you if you don't have
one already.

Thanks for your work on this, and I'm sorry it's taken so long to get
back to it.

-garrett

Mime
View raw message