RSA code not GPL compatible, RSAref license being violated.
Status: Beta
Brought to you by:
sh4rd
Menu
▾
▴
#54 RSA code not GPL compatible, RSAref license being violated.
open-later
nobody
None
1
2004-11-22
2004-09-13
Anonymous
No
The code in the rsa/ subdirectory is licensed under the
RSAREF license (http://bs.mit.edu/pgp/rsalicen.html).
1) This license is not compatible with the GPL; for
one, it forbids any commercial use.
2) Even ignoring the GPL issues. this license on it's
own is being violated in 1.5.0-beta2, The license for
RSAref requires permission from RSA Security before
making any changes to the interfaces, or any changes to
the code other than those required to port it to new
platforms. It seems likely that the conversion of
RSAref to C++ is not allowed by the license. In
addition, as of 1.5.0-beta2, the license for RSAref is
not being distributed along with the code.
As a tertiary issue, the RSAref code is not maintained,
and is not particularly secure. For example, the RNG is
known to be very weak in some situations. I have not
checked to see if WASTE uses the RNG in such a way that
causes the RNG to fail, however.
Logged In: YES
user_id=573676
There has been some discussion about this amongst shard,
gvdl, and myself. We think that the entire RSA dependency
should be removed and replaced with openSSL.
To the best of my knowledge, the waste team has never been
approached about liscensing issues from any party. Our plan
for now is to leave things as they are and slowly migrate
away from RSA unless forced to speed it up.
Logged In: NO
this is me not caring....
Logged In: NO
OpenSSL is under a GPL-incompatible license, so it would
still be illegal to distribute binaries. Try GnuTLS, which
from what I understand, is designed to be a drop-in replacement:
http://www.gnu.org/software/gnutls/