[pacman-dev] Linking to OpenSSL
Hi, I have been working on an Arch fork for the past several months, and thus have been following Arch developments closely. I noticed this commit ( http://projects.archlinux.org/gitweb.cgi?p=pacman.git;a=commit;h=b8a66d68593... ), where OpenSSL replaces the usage of md5sum and sha1sum utilities for Pacman. While I like the idea of using libraries instead of external binaries, I feel that linking to OpenSSL complicates a few things. For one, it is big, and must be included with any non-static binaries of Pacman (in the installer, this would not be so ideal, unless OpenSSL is included anyways). Another, is that it is simply not legal under the GPL. OpenSSL includes an advertising clause that makes it incompatible with the GPL. Wget and climm had to modify their GPL licenses to link to it ( http://en.wikipedia.org/wiki/Openssl#Licensing ). I purpose using GNUTLS instead. It is released under the LGPLv2.1, should be fully capable, and is compatible with the GPL. Many projects that use OpenSSL can also optionally link to GNUTLS instead, so I would suggest doing so with all possible packages (lftp, elinks, wget). What are your thoughts about this? Pacman is an excellent package manager; thank you for all of the work that you put into it. Cheers, Teran (sega01)
Teran McKinney wrote:
Hi,
I have been working on an Arch fork for the past several months, and thus have been following Arch developments closely. I noticed this commit ( http://projects.archlinux.org/gitweb.cgi?p=pacman.git;a=commit;h=b8a66d68593... ), where OpenSSL replaces the usage of md5sum and sha1sum utilities for Pacman. While I like the idea of using libraries instead of external binaries, I feel that linking to OpenSSL complicates a few things.
I am confused, the patch you showed is for makepkg, which is a bash script. The usage of md5sum and sha1sum binaries was replaced by the usage of openssl binary. We don't use openssl lib. For pacman, we also need md5 hashing functionality. For that we imported a md5.c file from the xyssl project.
Ah, ok. I must have read it incorrectly, but in the case of makepkg I personally prefer the *sum utilities. It is a simply revert anyways, and I will eventually get around to doing some major changes to makepkg (I have a few ideas, but nothing set in stone). Thanks, Teran On Sat, Jul 19, 2008 at 7:12 PM, Xavier <shiningxc@gmail.com> wrote:
Teran McKinney wrote:
Hi,
I have been working on an Arch fork for the past several months, and thus have been following Arch developments closely. I noticed this commit ( http://projects.archlinux.org/gitweb.cgi?p=pacman.git;a=commit;h=b8a66d68593... ), where OpenSSL replaces the usage of md5sum and sha1sum utilities for Pacman. While I like the idea of using libraries instead of external binaries, I feel that linking to OpenSSL complicates a few things.
I am confused, the patch you showed is for makepkg, which is a bash script. The usage of md5sum and sha1sum binaries was replaced by the usage of openssl binary. We don't use openssl lib.
For pacman, we also need md5 hashing functionality. For that we imported a md5.c file from the xyssl project.
_______________________________________________ pacman-dev mailing list pacman-dev@archlinux.org http://archlinux.org/mailman/listinfo/pacman-dev
Hi,
I have been working on an Arch fork for the past several months, and thus have been following Arch developments closely. I noticed this commit ( http://projects.archlinux.org/gitweb.cgi?p=pacman.git;a=commit;h=b8a66d68593... ), where OpenSSL replaces the usage of md5sum and sha1sum utilities for Pacman. Hold up right here. You read it wrong. This is for *makepkg* only, we have *never* linked in anything external for pacman proper. We are currently using code from XySSL as our md5sum routine, which is dual
On Sat, Jul 19, 2008 at 2:01 PM, Teran McKinney <sega01@gmail.com> wrote: licensed under BSD and GPL. I do not believe calling a binary has ever been construed as linking- correct me if I am wrong. With that said, the rest of your email is pretty much off base.
While I like the idea of using libraries instead of external binaries, I feel that linking to OpenSSL complicates a few things. For one, it is big, and must be included with any non-static binaries of Pacman (in the installer, this would not be so ideal, unless OpenSSL is included anyways). Another, is that it is simply not legal under the GPL. OpenSSL includes an advertising clause that makes it incompatible with the GPL. Wget and climm had to modify their GPL licenses to link to it ( http://en.wikipedia.org/wiki/Openssl#Licensing ).
I purpose using GNUTLS instead. It is released under the LGPLv2.1, should be fully capable, and is compatible with the GPL. Many projects that use OpenSSL can also optionally link to GNUTLS instead, so I would suggest doing so with all possible packages (lftp, elinks, wget). What are your thoughts about this? Wrong ML is what I think about this. We don't decide Arch policy here, only discuss pacman development.
Pacman is an excellent package manager; thank you for all of the work that you put into it.
Thanks! And if you have any more questions about this, shoot us another email. -Dan
participants (3)
-
Dan McGee
-
Teran McKinney
-
Xavier