On Tue, 2007-09-18 at 12:25 +0200, Enrico Scholz wrote: > Enrico Scholz <enrico.scholz@xxxxxxxxxxxxxxxxxxxxxxxxx> writes: > > >> Some of Fedora's packages are using an MD5 implementation which is under > >> a GPLv2/v3 incompatible license, specifically, the RSA implementation > >> which is under BSD with advertising. > >> ... > > http://www.ietf.org/ietf/IPR/RSA-MD-all states > > | Implementations of these message-digest algorithms, including > | implementations derived from the reference C code in RFC-1319, RFC-1320, > | and RFC-1321, may be made, used, and sold without license from RSA for > | any purpose. > > This seems to allow relicensing with any license (inclusive GPL), doesn't > it? Yes, but the way it is worded is specific. You may make MD5 implementations based on the RFC code, used them, and even sell them without license from RSA. HOWEVER: RSA did make an MD5 implementation, which is under their license (a BSD with advertising style license). If your code is using that implementation, we need to replace it with an MD5 implementation that is under a GPL compatible license. You could write the implementation yourself, or you can use an existing, GPL compatible implementation (coreutils has a well tested one), but you cannot use the RSA implementation (in GPL/LGPL licensed code). Mutt recently did this conversion: http://dev.mutt.org/hg/mutt/rev/4ade2517703a It should be applicable to most (if not all) uses of the RSA implementation. ~spot _______________________________________________ Fedora-legal-list mailing list Fedora-legal-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legal-list
