Gentoo Archives: gentoo-dev

From: Joshua Kinard <kumba@g.o>
To:
Cc: gentoo-dev@l.g.o, licenses@g.o
Subject: Re: [gentoo-dev] Guidance on distributed patented software
Date: Fri, 24 Sep 2021 07:47:00
Message-Id: 22b6bfa3-d464-4f97-f6ac-306479ae3bbf@gentoo.org
1 On 9/23/2021 12:10, Alec Warner wrote:
2 > On Wed, Sep 22, 2021 at 10:54 PM Joshua Kinard <kumba@g.o> wrote:
3 >>
4 >> On 9/22/2021 12:37, Robin H. Johnson wrote:
5 >>> On Wed, Sep 22, 2021 at 08:54:40AM -0400, Joshua Kinard wrote:
6 >>>> Is there any advice on how this impacts net-misc/dropbear? That has ECC
7 >>>> (both ECDSA and Ed25519) support, and I use it for SGI/MIPS netboot images.
8 >>>> The build doesn't have any bindist uses in it, and ECC support is a
9 >>>> localoptions.h compile-time option (enabled by default). ECC is much faster
10 >>>> on old SGI hardware and generating the hostkeys at bootup takes just a
11 >>>> second or two, whereas RSA can take up to 10-15 seconds. So I'd like to be
12 >>>> able to use ECC on these platforms and distribute netboot images using them.
13 >>> RedHat doesn't seem to disable ECC in Dropbear:
14 >>> https://src.fedoraproject.org/rpms/dropbear/blob/rawhide/f/dropbear.spec
15 >>>
16 >>> Based on what they've said for OpenSSL, I would expect that they SHOULD
17 >>> have disabled ECC there, but there is certainly no consistency from
18 >>> them.
19 >>>
20 >>> Probably nobody asked legal and just shipped dropbear anyway.
21 >>>
22 >>> If you wanted to stir the pot, you could post to the Fedora legal list
23 >>> and ask for consistency ;-).
24 >>
25 >> Hmm, it looks like dropbear is relying heavily on the ecc/ecdsa functions
26 >> provided in libtomcrypt, and that library's homepage states all its code is
27 >> public domain. Our ebuild has no bindist restrictions on that library.
28 >> Perhaps that is how dropbear, and thus Red Hat, avoids the issues with
29 >> licensing or patents?
30 >
31 > I don't see a patent grant in the unlicense; so I don't see how this
32 > works around that problem. Now it's hard for us to say (because we
33 > don't know what patents openssl might contain, to be able to look at
34 > dropbear and compare.)
35 > Note that openssl 3.0 is released under a new license (The Apache 2.0
36 > license) which has a patent grant in it. Note that the grant itself is
37 > not bulletproof, but it's often better than nothing.
38 >
39 > The apache 2.0 grant basically says if the patent author writes the
40 > code and submits it as apache 2.0 they grant you a license to do a
41 > bunch of stuff with the code. If I'm just some individual who writes
42 > the patented code and I license it as apache 2.0; obviously I have no
43 > right to grant you a patent license....so the grant in apache2 is not
44 > useful in that context. In the latter case I'd expect the project to
45 > remove the code in question in most circumstances.
46 >
47 > In general we trust upstream (because we have no other option.) If we
48 > become aware that there is patented material in a package we should
49 > take the requisite action (typically restrict=bindist) so that we are
50 > not violating the patents (and we did that for openssl, for example.)
51 > I want to get away from this concept that we can easily tell whether
52 > something is protected or not, or contains patents or not; it's a hard
53 > problem. In many cases its similar to licensing. We trust upstream
54 > until we learn otherwise and then we endeavour to fix the issue.
55 > Sometimes that means removing code; or changing the LICENSE variables,
56 > etc.
57 >
58 > -A
59
60 If I remember this weekend, I'll e-mail the libtomcrypt author and see if
61 they have any insight. One would hope they did their own research before
62 possibly putting patented code out into the public domain.
63
64 Any idea if the Ed25519 forms are unencumbered? As far as I know, those
65 were developed by DJB completely independent of ECDSA, so it seems like
66 those should be fine.
67
68 --
69 Joshua Kinard
70 Gentoo/MIPS
71 kumba@g.o
72 rsa6144/5C63F4E3F5C6C943 2015-04-27
73 177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943
74
75 "The past tempts us, the present confuses us, the future frightens us. And
76 our lives slip away, moment by moment, lost in that vast, terrible in-between."
77
78 --Emperor Turhan, Centauri Republic