apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lawrence Rosen" <lro...@rosenlaw.com>
Subject RE: apr-util removal of md4/md5 algorithms (legal issue)
Date Wed, 10 Sep 2008 15:27:21 GMT
The IETF IPR statement from RSA [http://www.ietf.org/ietf/IPR/RSA-MD-all ]
says this: "Implementations of these message-digest algorithms, including
implementations derived from the reference C code in RFC-1319, RFC-1320, and
RFC-1321, may be made, used, and sold without license from RSA for any

The only restriction is as to implementations "created, implemented, or
distributed by RSA."

Please help me understand why the lawyers who looked at this IETF statement
"were not amused." I'm personally delighted by these terms. 


> -----Original Message-----
> From: sa3ruby@gmail.com [mailto:sa3ruby@gmail.com] On Behalf Of Sam Ruby
> Sent: Wednesday, September 10, 2008 8:13 AM
> To: legal-discuss@apache.org; Tom O'Brien; dev@apr.apache.org
> Subject: Re: apr-util removal of md4/md5 algorithms (legal issue)
> On Wed, Sep 10, 2008 at 4:24 AM, Joe Orton <jorton@redhat.com> wrote:
> > On Mon, Sep 08, 2008 at 01:24:58PM -0400, Tom O'Brien wrote:
> >> Hi all:
> >> I'm using the Log4Cxx logging library in a project, and it uses apr and
> >> apr-util as part of the implementation. In reviewing the license to
> >> apr-util, I noticed it contained a reference to the RSA reference
> >> implementation to md4 and md5. The lawyers here got a look at the
> >> license, and were not amused (no specific right to redistribute). I saw
> >> that the Debian team had raised a similar issue in the mailing list
> archive.
> >
> > I just noticed that this issue is covered in the Fedora licensing FAQ:
> >
> > http://fedoraproject.org/wiki/Licensing/FAQ
> >
> > which references this statement from RSA:
> >
> > http://www.ietf.org/ietf/IPR/RSA-MD-all [plain text sent as text/html,
> oops]
> >
> > the Fedora FAQ says that based on this, we can simply strip the
> > restrictive licensing statements from the MD4/MD5 implementation,
> > retaining the RSA copyright notice alone.
> >
> > Can legal-discuss@ confirm whether this is an acceptable course of
> > action?
> First, the above seems to present a conflicting state of affairs.
> I've only followed the links provided, so I may not understand the
> true story.  But if the original code was made available under the
> original BSD with advertising clause, then there is a specific right
> to redistribute provided, right?
> Second, if we accept code, it either needs to be covered under a CLA
> (or, in the case of minor patches, be covered by the definition of a
> Contribution in the Apache License, Version 2.0), or we need a
> separate license.  Perhaps we could consider treating the statement
> posted on the IETF site as such.
> Since we have actual lawyers engaged (ones who are reportedly not
> amused), how about inquiring as to whether such a course of action
> would, in fact, tickle their fancy?
> If so, we can proceed to determine what ASF policy adjustments would
> be required to enable this, and decide whether or not we were
> comfortable with such.  I, for example, am currently uncomfortable
> with the thoughts of us modifying such code (under what license would
> we use for such modifications?) and specifically uncomfortable about
> removing licensing statements.
> - Sam Ruby
> ---------------------------------------------------------------------
> DISCLAIMER: Discussions on this list are informational and educational
> only.  Statements made on this list are not privileged, do not
> constitute legal advice, and do not necessarily reflect the opinions
> and policies of the ASF.  See <http://www.apache.org/licenses/> for
> official ASF policies and documents.
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: legal-discuss-unsubscribe@apache.org
> For additional commands, e-mail: legal-discuss-help@apache.org

View raw message