1 |
On 9/23/2021 12:10, Alec Warner wrote: |
2 |
> On Wed, Sep 22, 2021 at 10:54 PM Joshua Kinard <kumba@g.o> wrote: |
3 |
>> |
4 |
>> On 9/22/2021 12:37, Robin H. Johnson wrote: |
5 |
>>> On Wed, Sep 22, 2021 at 08:54:40AM -0400, Joshua Kinard wrote: |
6 |
>>>> Is there any advice on how this impacts net-misc/dropbear? That has ECC |
7 |
>>>> (both ECDSA and Ed25519) support, and I use it for SGI/MIPS netboot images. |
8 |
>>>> The build doesn't have any bindist uses in it, and ECC support is a |
9 |
>>>> localoptions.h compile-time option (enabled by default). ECC is much faster |
10 |
>>>> on old SGI hardware and generating the hostkeys at bootup takes just a |
11 |
>>>> second or two, whereas RSA can take up to 10-15 seconds. So I'd like to be |
12 |
>>>> able to use ECC on these platforms and distribute netboot images using them. |
13 |
>>> RedHat doesn't seem to disable ECC in Dropbear: |
14 |
>>> https://src.fedoraproject.org/rpms/dropbear/blob/rawhide/f/dropbear.spec |
15 |
>>> |
16 |
>>> Based on what they've said for OpenSSL, I would expect that they SHOULD |
17 |
>>> have disabled ECC there, but there is certainly no consistency from |
18 |
>>> them. |
19 |
>>> |
20 |
>>> Probably nobody asked legal and just shipped dropbear anyway. |
21 |
>>> |
22 |
>>> If you wanted to stir the pot, you could post to the Fedora legal list |
23 |
>>> and ask for consistency ;-). |
24 |
>> |
25 |
>> Hmm, it looks like dropbear is relying heavily on the ecc/ecdsa functions |
26 |
>> provided in libtomcrypt, and that library's homepage states all its code is |
27 |
>> public domain. Our ebuild has no bindist restrictions on that library. |
28 |
>> Perhaps that is how dropbear, and thus Red Hat, avoids the issues with |
29 |
>> licensing or patents? |
30 |
> |
31 |
> I don't see a patent grant in the unlicense; so I don't see how this |
32 |
> works around that problem. Now it's hard for us to say (because we |
33 |
> don't know what patents openssl might contain, to be able to look at |
34 |
> dropbear and compare.) |
35 |
> Note that openssl 3.0 is released under a new license (The Apache 2.0 |
36 |
> license) which has a patent grant in it. Note that the grant itself is |
37 |
> not bulletproof, but it's often better than nothing. |
38 |
> |
39 |
> The apache 2.0 grant basically says if the patent author writes the |
40 |
> code and submits it as apache 2.0 they grant you a license to do a |
41 |
> bunch of stuff with the code. If I'm just some individual who writes |
42 |
> the patented code and I license it as apache 2.0; obviously I have no |
43 |
> right to grant you a patent license....so the grant in apache2 is not |
44 |
> useful in that context. In the latter case I'd expect the project to |
45 |
> remove the code in question in most circumstances. |
46 |
> |
47 |
> In general we trust upstream (because we have no other option.) If we |
48 |
> become aware that there is patented material in a package we should |
49 |
> take the requisite action (typically restrict=bindist) so that we are |
50 |
> not violating the patents (and we did that for openssl, for example.) |
51 |
> I want to get away from this concept that we can easily tell whether |
52 |
> something is protected or not, or contains patents or not; it's a hard |
53 |
> problem. In many cases its similar to licensing. We trust upstream |
54 |
> until we learn otherwise and then we endeavour to fix the issue. |
55 |
> Sometimes that means removing code; or changing the LICENSE variables, |
56 |
> etc. |
57 |
> |
58 |
> -A |
59 |
|
60 |
If I remember this weekend, I'll e-mail the libtomcrypt author and see if |
61 |
they have any insight. One would hope they did their own research before |
62 |
possibly putting patented code out into the public domain. |
63 |
|
64 |
Any idea if the Ed25519 forms are unencumbered? As far as I know, those |
65 |
were developed by DJB completely independent of ECDSA, so it seems like |
66 |
those should be fine. |
67 |
|
68 |
-- |
69 |
Joshua Kinard |
70 |
Gentoo/MIPS |
71 |
kumba@g.o |
72 |
rsa6144/5C63F4E3F5C6C943 2015-04-27 |
73 |
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943 |
74 |
|
75 |
"The past tempts us, the present confuses us, the future frightens us. And |
76 |
our lives slip away, moment by moment, lost in that vast, terrible in-between." |
77 |
|
78 |
--Emperor Turhan, Centauri Republic |