[Fedora-legal-list] Re: Legal Problem: md5 implementation
Tom "spot" Callaway
tcallawa at redhat.com
Tue Sep 18 13:36:03 UTC 2007
On Tue, 2007-09-18 at 12:25 +0200, Enrico Scholz wrote:
> Enrico Scholz <enrico.scholz at informatik.tu-chemnitz.de> writes:
>
> >> Some of Fedora's packages are using an MD5 implementation which is under
> >> a GPLv2/v3 incompatible license, specifically, the RSA implementation
> >> which is under BSD with advertising.
> >> ...
>
> http://www.ietf.org/ietf/IPR/RSA-MD-all states
>
> | Implementations of these message-digest algorithms, including
> | implementations derived from the reference C code in RFC-1319, RFC-1320,
> | and RFC-1321, may be made, used, and sold without license from RSA for
> | any purpose.
>
> This seems to allow relicensing with any license (inclusive GPL), doesn't
> it?
Yes, but the way it is worded is specific. You may make MD5
implementations based on the RFC code, used them, and even sell them
without license from RSA.
HOWEVER: RSA did make an MD5 implementation, which is under their
license (a BSD with advertising style license). If your code is using
that implementation, we need to replace it with an MD5 implementation
that is under a GPL compatible license.
You could write the implementation yourself, or you can use an existing,
GPL compatible implementation (coreutils has a well tested one), but you
cannot use the RSA implementation (in GPL/LGPL licensed code).
Mutt recently did this conversion:
http://dev.mutt.org/hg/mutt/rev/4ade2517703a
It should be applicable to most (if not all) uses of the RSA
implementation.
~spot
More information about the Fedora-legal-list
mailing list