tcl-trf included non-free codes.

Progetto:Trisquel
Versione:6.0
Componente:License problems
Categoria:segnalazione di bug
Priorità:critical
Assigned:Non assegnata
Stato:closed
Descrizione

tcl-trf is included non-free codes. This is "ripemd" function code.
There code license is non-free, non-distributable.

Fedora already patched and removed non-free code.

http://pkgs.fedoraproject.org/cgit/tcl-trf.git/tree/tcl-trf.spec
http://pkgs.fedoraproject.org/cgit/tcl-trf.git/tree/trf2.1.4-noripemd.patch

Suggests:

1. Remove non-free code and rebuild.

2. Replace non-free code to free code.

3. Remove to archive.

Thanks.

Mer, 01/22/2014 - 12:35
Mar, 06/17/2014 - 13:14
Mer, 06/18/2014 - 01:05

You are referring to generic/ripemd/rmd*.c, i believe (you should have made that clear) There's also generic/rmd*.c, which are libre. Now what I don't understand is why there are 2 different implementations of ripemd.

EDIT: The generic/rmd*.c seem to just be wrappers around the nonfree code. So either we should replace the nonfree code (I like that idea) or remove it like Fedora did. I could write an MIT/X11 licensed implementation if I have the time that is compatible with this nonfree one.

Ven, 06/20/2014 - 01:26

I started working on my free implementation of ripemd-160.
EDIT: I finished and will upload it later. It's a little faster than the nonfree implementation.

Ven, 06/20/2014 - 12:52

Here it is, both RIPEMD-128 and RIPEMD-160. Learned some stuff about hashing along the way.
EDIT: Strange that it didn't attach. I replied to the Debian bug and attached it.

AllegatoDimensione
ripemd.tar_.gz 3.05 KB
Ven, 06/20/2014 - 07:56
Stato:active» patch (needs review)

Love the idea if something proprietary just got replaced with something free! Thanks alot Legimet! Unfortunately I'm not qualified to say if you did a good job.

Changing status to reflect there is a patch. Dunno if I got it right.

I can't seem to be able to open that attachment, clicking it takes me to what looks like trisquel.info frontpage, albeit with a funny URL https://trisquel.info/files/issues/

Ven, 06/20/2014 - 12:51

The attachment system of this website has some issues. I attached it to a new message in that Debian bug.
RIPEMD-128 and 160 are publicly available algorithms, and a description is there on that page which mejiko linked to. (I wonder if the authors really intended to make it nonfree) So, there are many free implementations of it, and the package maintainer was going to use one fom OpenSSL. Other implementations would have required some porting to make them compatible with this one, so I just decided to make my own. It was pretty simple to implement, and I learned some stuff along the way.

There is another issue with this package which was resolved in Debian. [0] The source package has a copy of msvcrt.dll, a nonfree library from Windows. This should be removed.

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=685207

Ven, 06/20/2014 - 14:27
Stato:patch (needs review)» patch (needs work)

Also, I think we should make it "patch (needs work)" because it hasn't been fixed upstream yet, and someone will need to write a package helper.

Sab, 06/21/2014 - 21:58
Stato:patch (needs work)» patch (ready)

Fixed upstream in Debian, and package helper submitted to trisquel-devel. The helper just imports from Debian.

Dom, 06/22/2014 - 18:11

Legimet, what license are you using? It looks like the Expat license, but a bit different. The part which I am concerned about is this: "Permission is hereby granted, without written agreement and without license or royalty fees, to use, copy, modify, and distribute this software and its documentation for any purpose..."

It doesn't seem to say you can distribute modified copies, but correct me if I'm mistaken.

Lun, 06/23/2014 - 00:21

Usually I prefer GPL, but in this case tcl-trf itself was permissively licensed, so I decided to use its own license. I don't think the Expat license explicitly says you can distribute modified copies either, but it is generally interpreted as allowing it. (One notable exception is Pine, an old email client, because the University of Washington interpreted it as allowing modification but not distribution of those modified copies. [0]) However, the Expat license is almost always considered free, and this is pretty much the same thing.

Also, I changed the package helper to import from Ubuntu Utopic instead of Debian unstable.

[0] http://people.debian.org/~bap/dfsg-faq.html

Lun, 04/27/2015 - 14:35
Stato:patch (ready)» fixed
Lun, 05/11/2015 - 14:40
Stato:fixed» closed

Automatically closed -- issue fixed for 2 weeks with no activity.