[Fedora-legal-list] Re: Legal Problem: md5 implementation
Thorsten Leemhuis
fedora at leemhuis.info
Tue Sep 18 07:02:23 UTC 2007
On 17.09.2007 22:30, Tom "spot" Callaway wrote:
> Some of Fedora's packages are using an MD5 implementation which is under
> a GPLv2/v3 incompatible license, specifically, the RSA implementation
> which is under BSD with advertising.
Uhhpps.
> http://www.tux.org/pub/security/md5/md5.c
The requested URL /pub/security/md5/md5.c was not found on this server.
> http://www.tux.org/pub/security/md5/md5.h
>
> We've identified packages which are possibly using this implementation,
> and all maintainers are on CC. Please take a moment to look at your
> packages and check to see if this md5 implementation is used.
> [...]
> mail-notification
> [...]
>
> If your package is on this list, please email me back and let me know
> once you've checked the md5 implementation. If it is the RSA
> implementation, we're going to need to replace it (coreutils has a GPL
> compatible implementation that should be a drop in).
My package mail-notification is GPL and uses it. :-/
But why are "*we* going to need to replace it"? Is the issue that urgent
so there is not even 24 or 72 hours to talk to upstream to make them
aware of the issue first? Then maybe upstream can fix it quickly once
and for all and for all distributions? Or are we not allowed to talk
about this in public bug trackers?
CU
knurd
More information about the Fedora-legal-list
mailing list