Hi,
I have been working on an Arch fork for the past several months, and thus have been following Arch developments closely. I noticed this commit ( http://projects.archlinux.org/gitweb.cgi?p=pacman.git;a=commit;h=b8a66d68593... ), where OpenSSL replaces the usage of md5sum and sha1sum utilities for Pacman. Hold up right here. You read it wrong. This is for *makepkg* only, we have *never* linked in anything external for pacman proper. We are currently using code from XySSL as our md5sum routine, which is dual
On Sat, Jul 19, 2008 at 2:01 PM, Teran McKinney <sega01@gmail.com> wrote: licensed under BSD and GPL. I do not believe calling a binary has ever been construed as linking- correct me if I am wrong. With that said, the rest of your email is pretty much off base.
While I like the idea of using libraries instead of external binaries, I feel that linking to OpenSSL complicates a few things. For one, it is big, and must be included with any non-static binaries of Pacman (in the installer, this would not be so ideal, unless OpenSSL is included anyways). Another, is that it is simply not legal under the GPL. OpenSSL includes an advertising clause that makes it incompatible with the GPL. Wget and climm had to modify their GPL licenses to link to it ( http://en.wikipedia.org/wiki/Openssl#Licensing ).
I purpose using GNUTLS instead. It is released under the LGPLv2.1, should be fully capable, and is compatible with the GPL. Many projects that use OpenSSL can also optionally link to GNUTLS instead, so I would suggest doing so with all possible packages (lftp, elinks, wget). What are your thoughts about this? Wrong ML is what I think about this. We don't decide Arch policy here, only discuss pacman development.
Pacman is an excellent package manager; thank you for all of the work that you put into it.
Thanks! And if you have any more questions about this, shoot us another email. -Dan