Originally posted by fanbelt
View Post
Announcement
Collapse
No announcement yet.
OpenSSL 3.0 Officially Released
Collapse
X
-
-
Originally posted by sinepgib View Post
Probably the copyleft license, depending on who you ask.
- Likes 2
Comment
-
Originally posted by RahulSundaram View Post
GNUTLS is LGPL which is generally acceptable considering things like glibc. The bigger problem with alternative implementations in general including LibreSSL is that they are just not as supported leaving a large support burden to people adopting them. Linux distributions have largely abandoned it, see https://lwn.net/Articles/841664/ After Heartbleed, Linux Foundation boosted funding for OpenSSL and they have done some major improvements including with this release, the shift to Apache license, taking away a good portion of the criticisms against it. In general, within the free software community, there is a lot of discussions of alternatives when one implementation has some flaws when what it is often needed is a focus on funding and people and especially commercial organizations should be willing to help out through funding, infrastructure etc instead of treating it as a free lunch. This stuff is complex and it is hard to do on a voluntarily basis purely as a hobby.
Comment
-
Originally posted by sinepgib View Post
I don't disagree with anything you said. But a lot of people just won't ship anything that says GPL, even if it is LGPL. I guess they want to leave the door open to touching code without having to release anything, even for things that don't make sense to do that anyway :shrug:
Comment
-
Originally posted by sinepgib View Post
Is this related in any way to BearSSH?
If so, they aren't related. Dropbear came along much before BearSSL.
Comment
-
Originally posted by sinepgib View PostIn my country there was a time where someone tainted a batch of wine with methanol, blinding and killing several people before anybody realized it. So yeah, they need security too
Comment
-
Originally posted by fanbelt View Post
Coincidentally, I was just looking up the progress of JPGXL and found that they switched licenses from Apache-2.0 to BSD 3-clause with a patent grant. It's strange because the patent grant includes the litigation-patent-revoking wording found in Apache 2.0. This means it is still GPLv2 incompatible. I wonder why they made the switch then?
- Likes 1
Comment
-
Originally posted by RahulSundaram View Post
This maybe certainly be a concern for instance in embedded systems etc where they may be touching something that low level but for most users, they treat the core components of the distro like the Linux kernel, which of course is GPL, glibc (LGPL) etc as stuff that they accept as it is and the license as it is gives them the ability to build on top of it as essentially as a black box. If for instance Debian or Fedora switched to GNUTLS everywhere away from OpenSSL, they will be fine with that. As you go higher up in the stack, the licenses start to matter more.
So, does it make sense to avoid LGPL software? Pretty much no, unless for some reason you want to link statically, where it comes with extra hurdles, or modify the code. Does people still do it? AFAIK, yes.
Comment
-
Originally posted by kpedersen View Post
I don't think so (though I may have missed something new). There was a small portable ssh server called dropbear (very common on Android). Perhaps that is what you are referring to?
https://matt.ucc.asn.au/dropbear/dropbear.html
Comment
-
Originally posted by RahulSundaram View Post
GNUTLS is LGPL which is generally acceptable considering things like glibc. The bigger problem with alternative implementations in general including LibreSSL is that they are just not as supported leaving a large support burden to people adopting them. Linux distributions have largely abandoned it, see https://lwn.net/Articles/841664/ After Heartbleed, Linux Foundation boosted funding for OpenSSL and they have done some major improvements including with this release, the shift to Apache license, taking away a good portion of the criticisms against it. In general, within the free software community, there is a lot of discussions of alternatives when one implementation has some flaws when what it is often needed is a focus on funding and people and especially commercial organizations should be willing to help out through funding, infrastructure etc instead of treating it as a free lunch. This stuff is complex and it is hard to do on a voluntarily basis purely as a hobby.
I don't mind OpenSSL, but I avoided a lot of problems both with some of the bigger CVEs and also the openssl upgrades that weren't backwards compatible by using GnuTLS.
I also think that monolithic development isn't healthy in the long run.
Comment
Comment