GNOME Bugzilla – Bug 305216
gnome-terminal violates code license
Last modified: 2005-07-26 17:29:06 UTC
Use of md2.c in gnome-terminal violates its copyright, which "is granted for non-commercial Internet Privacy-Enhanced Mail". Files md.c, md2.c, md4.c and md5.c contain advertisement clause ("RSA Data Security, Inc. MD2/4/5 Message-Digest Algorithm" in all material mentioning or referencing this software). And I am not sure, whether it can be linked with GPL code into one binary.
I agree that this bug should be fixed. I took a quick stab at this. I'm attaching a patch that removes all the RSA copyrighted stuff and changes it with implementations from the mhash-library (LGPL - md4,md5) and from matrixSSL (GPL ver. 2 only - md2). It's a very quick compile-only tested thing. If people agree on the approach and on the chosen implementations I'll clean it up a little and give it a good test. Suggestions on preferred implementations or the like are very welcome of course.
Created attachment 48178 [details] [review] Patch that changes the copyrighted md* implementations to free ones
I agree this should be commited as soon as we're sure it works. I think some of the Red Hat guys actually use s/key so we might get them to test this.
Jonathan, this is the bug where there's a patch to switch to a non license-encumbered implementation of md[245] in gnome-terminal. Please comment on the patch.
Okay, actually got around to read up how this all is supposed to work :) I've cooked up a better patch. It works here even though I haven't had the time to test the OT-Password in a true proper S/Key environment. I've removed the md2 algorithm, as it wasn't used anyhow (md4 is the one compiled in by default) and it segfaulted here when tried. If people scream I can re-add it (haven't done it right now right away, because MD2Context is substantially different from MD4 and MD5, and it'd take me a bit more to shoehorn it in, whereas I think this is rather urgent). As usual, comments are appreciated. Here's the ChangeLog: +2005-07-05 Michele Baldessari <michele@pupazzo.org> + + * configure.in: Add AC_C_BIGENDIAN check for new md4,md5 routines + + * src/skey/Makefile.am + * src/skey/donkey.c: Added a small testing program + + * src/skey/mhash_md4.h + * src/skey/md4.c + * src/skey/mhash_md5.h + * src/skey/md5.c: Fixed #305216 and replaced non-free md4/5 + with public domain ones taken from the mhash library. + md4 is LGPL copyrighted by Nikos Mavroyanopoulos, and md5 + is written by Colin Plumb and is in the public domain. + Removed md2 in the process since it was segfaulting in the original + implementation anyhow and it would require more work to fit it in for + little need. Drop me a note if you need it and I'll add support for it. + + * src/skey/md2.c: Removed
Created attachment 48651 [details] [review] Skey license fix
We use skey at redhat, so i tried this. It didn't let me log in, so I thought it was a problem with the patch. However, I then tried without it, and that didn't work either. I haven't tried this in a while, as i normally use the skey commandline app, however i know it has worked in the past...
Hi Alexander, I'll try to setup an s/key environment as soon as I can and test it there. If you have some tips/rpms/links to point me to, to setup this stuff, I'd be most grateful, since my google searches haven't been too conclusive (maybe I'm using the wrong keywords). Thanks for your time
Ok, went throught RFC 1760 and RFC 2289 and I see were things are wrong. I'll fix this in the upcoming week(s).
If the license isn't correct, it's not a matter of whether or not it works, right? If the RH guys use the functionality, then the burden is on them to fix it. We shouldn't be shipping improperly licensed code just because it makes their lives more convenient... (sorry to shit on the parade, guys :)
Okers, here's an updated patch, this time I set up an s/key environment and tested it too (both on x86 and ppc so no big/little endian problems should show up). I've also added a testskey program that goes through the test vectors of md4/md5 and sha1 in appendix A of rfc 2289 and they all pass. So I think it's good to go now (not that that many people will ever use this stuff :)) Once this goes in, I'll post the five-line patch to get us proper recent OTP (one time password s/key rfc 2289) support . Here's the ChangeLog: 2005-07-12 Michele Baldessari <michele@pupazzo.org> * configure.in: Added AC_C_BIGENDIAN check * src/skey/donkey.h, src/skey/donkey.c, src/skey/md2.c * src/skey/tailor.h, src/skey/config.h: Removed due to license issues (#305216) * src/skey/md5.c, src/skey/md5.h, src/skey/md4.c * src/skey/md4.h, src/skey/sha1.h, src/skey/sha1.c: Added new non-license violating implementations for these hashes algorithms. MD4 and MD5 are taken from the mhash library which in turn are based on public domain implementations by Colin Plumb. SHA1 is from the public domain implementation of Steve Reid. * src/skey/skey.c, src/skey/skey.h, src/skey/skeyutil.c, * src/skey/skeyutil.h: Reimplementation from scratch of the previous S/Key support (RFC1760). Removed MD2 support and added SHA1 support, in order to be able one day to support RFC2289.
Created attachment 49066 [details] [review] New clean reimplementation of s/key support
Confirmed that the skey functionality works with the latest patch against CVS. The src/skey/Makefile.am needs to be cleaned up a little bit though, its spewing some icky errors: src/skey/Makefile.am:43: variable `md4_LDFLAGS' is defined but no program or src/skey/Makefile.am:43: library has `md4' as canonic name (possible typo) src/skey/Makefile.am:51: variable `md5_SOURCES' is defined but no program or src/skey/Makefile.am:51: library has `md5' as canonic name (possible typo) src/skey/Makefile.am:44: variable `md4_SOURCES' is defined but no program or src/skey/Makefile.am:44: library has `md4' as canonic name (possible typo) src/skey/Makefile.am:58: variable `sha1_SOURCES' is defined but no program or src/skey/Makefile.am:58: library has `sha1' as canonic name (possible typo) src/skey/Makefile.am:50: variable `md5_LDFLAGS' is defined but no program or src/skey/Makefile.am:50: library has `md5' as canonic name (possible typo) src/skey/Makefile.am:57: variable `sha1_LDFLAGS' is defined but no program or src/skey/Makefile.am:57: library has `sha1' as canonic name (possible typo)
Created attachment 49244 [details] [review] New s/key reimplementation with Makefile.am cleanup
We've got this tested now, right? Any reason it hasn't gone in yet?
Lack of someone committing it since, Kjartaan is on vacation.. that's pretty much the issue ATM ;)
This went in, so we can close it. Thanks to everyone who chimed in