Marc Espie <es...@nerim.net> writes: > On Sun, Jan 13, 2013 at 12:32:04PM +0100, Jérémie Courrèges-Anglas wrote: >> Hi, >> >> I have overlooked a licence problem about the RMD160 implementation >> shipped and used in seeks. The files on >> http://homes.esat.kuleuven.be/~bosselae/ripemd160.html mention no real > [...] >> licence, only a "Copyright" note, contrary to the seeks source copies >> which go like this: >> Parts #1 and #2 sound a bit awkward and restrictive for me to push this >> as is. I don't want to be the one pushing a port for this release. Next >> release will be much easier to port and will be using mhash, thus >> getting freed of this licence issue. > > openssl has a rmd160 implementation free of those defects. Either link > to openssl, or replace that code with the appropriate snippet.
Afaik, the OpenSSL licence is incompatible with the (A)GPLv$X unless some constraints are met[1]. mhash is LGPL'd thus free of those constraints. I think upstream is much more likely to choose this path (and a patch already exists and is being tested). Was your advice targeted at the upstream project or just to me, ports-wise? Sure I could cook a diff to use mhash on our system, just for this release, but that's a rather intrusive change. Also, even if the package would be free from those constraints, the situation of distfiles seems a bit less clear to me. But perhaps am I being a sissy here, I don't feel really comfortable with mashups of uselessly complex/constrained licences. [1] http://www.openssl.org/support/faq.html#LEGAL2 -- Jérémie Courrèges-Anglas GPG Key fingerprint: 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
