couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Anderson <jch...@apache.org>
Subject Re: Making CouchDB crypto dependency optional
Date Mon, 18 Jan 2010 19:12:20 GMT
On Mon, Jan 18, 2010 at 1:23 AM, Jonathan <jdknezek@gmail.com> wrote:
> On Sun, Jan 17, 2010 at 11:31 PM, Dirk-Willem van Gulik <
> Dirk-Willem.van.Gulik@bbc.co.uk> wrote:
>
>> Sorry - that is the algorithm - not the *implementation*.
>>
>> If you wrote it from scratch - just using documents like above - then you
>> are good (and all that is needed is a software grant from you - or a
>> contribution under a CLA - and point to the document as the source.).
>>
>> HOWEVER if you took some random piece of existing code and 'erlangfied' it;
>> or cut-and-pasted, say, C, Perl, Java or other third party existing code
>> into it - and then massaged that to work *then* you have to be significantly
>> more careful. There are then 4 cases:
>>
>> -       You only took one or two lines from someone else their code 'in
>> total' as a starting point.
>>
>> -       You took some lines from code under a BSD, ASL or similar 'open'
>> license (e.g. say from APR or from OpenSSL itself).
>>
>> -       You took code from a GPL, LGPL or similar family of code.
>>
>> -       You took code which someone (you perhaps) once wrote for a company.
>>
>> In the first two cases; no problem - just document where you took it and
>> point to the license as needed. In the third case - big no-no; in the final
>> case - better get permission from the person who paid you.
>>
>> As to 'recognizing' this - you'd be surprized how unique certain
>> spaces/variable name and orderings are - and how many permutations are
>> possible - or in other words - how long the 'fingerprint' of a given
>> original last through cut and paste.
>>
>
> Excellent, thanks very much for the clarification - I'm thoroughly
> inexperienced when it comes to licensing.  My code was based off of
> pseudocode listed on Wikipedia and so (I believe) would fall under the
> CC-BY-SA license - I've updated the Jira issue as appropriate.  Thank you
> for catching this early.

Thanks for taking this so seriously. I think it would really help
CouchDB a lot to have the option to fall back to native crypto in
environments that don't have the dependencies.

Is there anything sane we can do to add entropy to the random seed --
anyone have any options on how much more likely this could make uuid
collisions?

Chris

>
>
> Jonathan
>
> Thanks,
>>
>> Dw.
>>
>



-- 
Chris Anderson
http://jchrisa.net
http://couch.io

Mime
View raw message