On 16/05/2016 7:20 p.m., Matus UHLAR - fantomas wrote: >>> Tim Bates писал 2016-05-14 14:36: >>> >>> Are there any Linux distros with pre-compiled versions of Squid with SSL >>> Bump support compiled in? >>> >>> Alternatively, does anyone reputable do a 3rd party repo for >>> Debian/Ubuntu that includes SSL Bump? > >>> On 16.05.16 10:36, admin wrote: >>>> I make deb's compiled squid in Debian 8: >>>> 3.5.8 >>>> 3.5.17 Please update those to 3.5.19. A dozen CVE's went out these past few months. :-( >>>> 4.0.10 > >> Matus UHLAR - fantomas писал 2016-05-16 11:55: >>> OpenSSL? > > On 16.05.16 12:05, admin wrote: >> Yes > >> Can send to email if needed > > I just wanted to point out that distrib uting GPL'ed software (squid) > depending on (linked with) non-GPL/LGPL libraries is AFAIK GPL violation > and > therefore illegal copying... What is being attempted above is not a GPL violation AFAIK. So long as the Squid ./configure && make system is used to construct the binary and Squid source is not altered in any way by the builder. * GPL permits linking against OpenSSL because both softwares sources are available publicly. * It is GPL violation to distribute the OpenSSL and Squid sources together as parts of someting else. In source form. Thus distributors like Diladele can provide binary-only formats with no source changes to Squid or OpenSSL. Each component of the offering is publicly available (GPL compliant) and the pieces of OpenSSL, Squid and the packaging source code are distributed via separate channels (OpenSSL compliant). Debian and Ubuntu distribute sources of all binaries as part of their OS repository. The very act of adding package install scripts causes the issue here. The repository would contain all of Squid + OpenSSL + packaging scripts source code. But, but, but.... * It is OpenSSL violation to distribute any binary that does not advertise OpenSSL usage. In the binary outputs, even those not using OpenSSL logic (Ouch!). Unless the OS provides the library as part of its core system. Debian and Ubuntu use GnuTLS as the system preferrd library. OpenSSL license not being GPL compliant also makes it not DFSG compliant and so not part of the core OS repository. It and anything using it are in the non-free optional extras repository instead. There are some suggestions to build and put a version of Squid in there. But that still collides with the previous GPL issue about sources being together in the repo. Adding advertising clauses in the way required by OpenSSL would make Squid binaries no longer be GPL compliant unless we got explicit written permission from everyone who contributed patches. A lot of contributors have long-dead emails, requested anonimity or some in fact are now physically deceased. So we are stuck at our end as well even with that. I am working on GnuTLS support as a side project, and the OpenSSL people are apparently working on fixing their license to be GPL compliant. It is a lot of work and going quite slow on both fronts. You can see some of my work reflected in the squid.conf changes of Squid-4, and the latest Debian/Ubuntu squidclient packages :-) Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
