Announcement

Collapse
No announcement yet.

OpenSSL 3.0 Officially Released

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    Originally posted by fanbelt View Post

    if they still really wanted a permissive license, a BSD-3+Patent license would've been perfect.
    Coincidentally, I was just looking up the progress of JPGXL and found that they switched licenses from Apache-2.0 to BSD 3-clause with a patent grant. It's strange because the patent grant includes the litigation-patent-revoking wording found in Apache 2.0. This means it is still GPLv2 incompatible. I wonder why they made the switch then?

    Comment


    • #22
      Originally posted by sinepgib View Post

      Probably the copyleft license, depending on who you ask.
      GNUTLS is LGPL which is generally acceptable considering things like glibc. The bigger problem with alternative implementations in general including LibreSSL is that they are just not as supported leaving a large support burden to people adopting them. Linux distributions have largely abandoned it, see https://lwn.net/Articles/841664/ After Heartbleed, Linux Foundation boosted funding for OpenSSL and they have done some major improvements including with this release, the shift to Apache license, taking away a good portion of the criticisms against it. In general, within the free software community, there is a lot of discussions of alternatives when one implementation has some flaws when what it is often needed is a focus on funding and people and especially commercial organizations should be willing to help out through funding, infrastructure etc instead of treating it as a free lunch. This stuff is complex and it is hard to do on a voluntarily basis purely as a hobby.

      Comment


      • #23
        Originally posted by RahulSundaram View Post

        GNUTLS is LGPL which is generally acceptable considering things like glibc. The bigger problem with alternative implementations in general including LibreSSL is that they are just not as supported leaving a large support burden to people adopting them. Linux distributions have largely abandoned it, see https://lwn.net/Articles/841664/ After Heartbleed, Linux Foundation boosted funding for OpenSSL and they have done some major improvements including with this release, the shift to Apache license, taking away a good portion of the criticisms against it. In general, within the free software community, there is a lot of discussions of alternatives when one implementation has some flaws when what it is often needed is a focus on funding and people and especially commercial organizations should be willing to help out through funding, infrastructure etc instead of treating it as a free lunch. This stuff is complex and it is hard to do on a voluntarily basis purely as a hobby.
        I don't disagree with anything you said. But a lot of people just won't ship anything that says GPL, even if it is LGPL. I guess they want to leave the door open to touching code without having to release anything, even for things that don't make sense to do that anyway :shrug:

        Comment


        • #24
          Originally posted by sinepgib View Post

          I don't disagree with anything you said. But a lot of people just won't ship anything that says GPL, even if it is LGPL. I guess they want to leave the door open to touching code without having to release anything, even for things that don't make sense to do that anyway :shrug:
          This maybe certainly be a concern for instance in embedded systems etc where they may be touching something that low level but for most users, they treat the core components of the distro like the Linux kernel, which of course is GPL, glibc (LGPL) etc as stuff that they accept as it is and the license as it is gives them the ability to build on top of it as essentially as a black box. If for instance Debian or Fedora switched to GNUTLS everywhere away from OpenSSL, they will be fine with that. As you go higher up in the stack, the licenses start to matter more.

          Comment


          • #25
            Originally posted by sinepgib View Post

            Is this related in any way to BearSSH?
            I don't think so (though I may have missed something new). There was a small portable ssh server called dropbear (very common on Android). Perhaps that is what you are referring to?



            If so, they aren't related. Dropbear came along much before BearSSL.

            Comment


            • #26
              Originally posted by sinepgib View Post
              In my country there was a time where someone tainted a batch of wine with methanol, blinding and killing several people before anybody realized it. So yeah, they need security too
              Until you said methanol, I was expecting you to be talking about the Austrian Wine Poisoning.

              Comment


              • #27
                Originally posted by fanbelt View Post

                Coincidentally, I was just looking up the progress of JPGXL and found that they switched licenses from Apache-2.0 to BSD 3-clause with a patent grant. It's strange because the patent grant includes the litigation-patent-revoking wording found in Apache 2.0. This means it is still GPLv2 incompatible. I wonder why they made the switch then?
                To make it GPLv2 compatible. You can just ignore the patent grant. Patent licenses and copyright licenses are different things, and GPLv2 only talks about copyright, which is the reason Apache 2.0 is considered incompatible with GPLv2: in Apache 2.0 your copyright license is conditioned on not engaging in patent litigation, while GPLv2 has no such condition. By separating things into a permissive copyright license and a defensive patent license, this problem is avoided. The av1 encoder libaom does exactly the same thing as libjxl, by the way.

                Comment


                • #28
                  Originally posted by RahulSundaram View Post

                  This maybe certainly be a concern for instance in embedded systems etc where they may be touching something that low level but for most users, they treat the core components of the distro like the Linux kernel, which of course is GPL, glibc (LGPL) etc as stuff that they accept as it is and the license as it is gives them the ability to build on top of it as essentially as a black box. If for instance Debian or Fedora switched to GNUTLS everywhere away from OpenSSL, they will be fine with that. As you go higher up in the stack, the licenses start to matter more.
                  Again, I agree with what you're saying. I wouldn't trust some random modifying crypto libraries anyway, so I don't think any sane developer would find any reason to do that. But some companies have pointy haired bosses that would rather not think. I was thinking more about standalone closed source programs such as Google Chrome and permissive OSes like *BSD, as well. I mean, if you use Debian you're already shipping a lot of GPL software, and you're almost certainly linking dynamically to most libraries anyway.
                  So, does it make sense to avoid LGPL software? Pretty much no, unless for some reason you want to link statically, where it comes with extra hurdles, or modify the code. Does people still do it? AFAIK, yes.

                  Comment


                  • #29
                    Originally posted by kpedersen View Post

                    I don't think so (though I may have missed something new). There was a small portable ssh server called dropbear (very common on Android). Perhaps that is what you are referring to?

                    https://matt.ucc.asn.au/dropbear/dropbear.html
                    Yes, my memory failed, but I meant Dropbear :facepalm:

                    Comment


                    • #30
                      Originally posted by RahulSundaram View Post

                      GNUTLS is LGPL which is generally acceptable considering things like glibc. The bigger problem with alternative implementations in general including LibreSSL is that they are just not as supported leaving a large support burden to people adopting them. Linux distributions have largely abandoned it, see https://lwn.net/Articles/841664/ After Heartbleed, Linux Foundation boosted funding for OpenSSL and they have done some major improvements including with this release, the shift to Apache license, taking away a good portion of the criticisms against it. In general, within the free software community, there is a lot of discussions of alternatives when one implementation has some flaws when what it is often needed is a focus on funding and people and especially commercial organizations should be willing to help out through funding, infrastructure etc instead of treating it as a free lunch. This stuff is complex and it is hard to do on a voluntarily basis purely as a hobby.
                      Sure, GnuTLS isn't a drop-in replacement of OpenSSL, but that makes it possible to use on the same machine as OpenSSL.

                      I don't mind OpenSSL, but I avoided a lot of problems both with some of the bigger CVEs and also the openssl upgrades that weren't backwards compatible by using GnuTLS.

                      I also think that monolithic development isn't healthy in the long run.

                      Comment

                      Working...
                      X