[pacman-dev] Linking to OpenSSL

[Dan McGee]

On Sat, Jul 19, 2008 at 2:01 PM, Teran McKinney <sega01 at gmail.com> wrote:
> Hi,
>
> I have been working on an Arch fork for the past several months, and
> thus have been following Arch developments closely. I noticed this
> commit ( http://projects.archlinux.org/gitweb.cgi?p=pacman.git;a=commit;h=b8a66d68593d1f267c3bb8cd8943724711626903
> ), where OpenSSL replaces the usage of md5sum and sha1sum utilities
> for Pacman.
Hold up right here. You read it wrong. This is for *makepkg* only, we
have *never* linked in anything external for pacman proper. We are
currently using code from XySSL as our md5sum routine, which is dual
licensed under BSD and GPL.

I do not believe calling a binary has ever been construed as linking-
correct me if I am wrong.

With that said, the rest of your email is pretty much off base.

> While I like the idea of using libraries instead of
> external binaries, I feel that linking to OpenSSL complicates a few
> things. For one, it is big, and must be included with any non-static
> binaries of Pacman (in the installer, this would not be so ideal,
> unless OpenSSL is included anyways). Another, is that it is simply not
> legal under the GPL. OpenSSL includes an advertising clause that makes
> it incompatible with the GPL. Wget and climm had to modify their GPL
> licenses to link to it (
> http://en.wikipedia.org/wiki/Openssl#Licensing ).
>
> I purpose using GNUTLS instead. It is released under the LGPLv2.1,
> should be fully capable, and is compatible with the GPL. Many projects
> that use OpenSSL can also optionally link to GNUTLS instead, so I
> would suggest doing so with all possible packages (lftp, elinks,
> wget). What are your thoughts about this?
Wrong ML is what I think about this. We don't decide Arch policy here,
only discuss pacman development.

> Pacman is an excellent package manager; thank you for all of the work
> that you put into it.

Thanks! And if you have any more questions about this, shoot us another email.

-Dan