Greg Troxel wrote:
> Jan Harkes <jaharkes_at_cs.cmu.edu> writes:
>
>   
>> On Sat, May 19, 2007 at 04:51:07PM +0200, Enrico Weigelt wrote:
>>     
>>> So should we drop the openssl dependency completely ? 
>>>       
>> I think so, the openssl implementation may or may not be faster. The
>> md5 and sha1 code is conditionally compiled in coda/lib-src/base. Every
>> Coda binary links against the resulting libbase.a.
>>     
>
> In general I would favor requiring a crypto library rather than having
> included crypto code.  But openssl may be problematic - is the license
> GPL-compatible?
>
>   
A few relevant links:

[1] http://www.openssl.org/support/faq.html#LEGAL2
[2] http://www.gnome.org/~markmc/openssl-and-the-gpl.html

I've looked at this recently for a different project I've been working 
on and it is not completely clear.  OpenSSL is licensed under an 
Apache-style or BSD-style open source license which are generally closer 
to being public domain than the GPL, and can often be included in more 
restricted code bases by falling under the more restrictive license.  
However, the OpenSSL license does contain a few clauses about 
advertising and acknowledgments which impose additional restrictions 
that directly conflict with the GPL.  The debate moves into a gray area 
when you consider that OpenSSL may be shipped as a GPL-incompatible 
library with an operating system, which the GPL specifically allows 
exemptions for linking against.

The most common way to get around this is to distribute your code under 
the GPL with an OpenSSL exemption clause.  From what I can tell, 
OpenSSL's FAQ [1] seems to suggest Coda's current licensing is fine for 
most of the operating systems on which it is linked, Windows beta aside.


Adam