From owner-freebsd-current Sat Feb 19 17:35:51 2000 Delivered-To: freebsd-current@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 928C237BD45; Sat, 19 Feb 2000 17:35:48 -0800 (PST) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id RAA95727; Sat, 19 Feb 2000 17:35:48 -0800 (PST) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sat, 19 Feb 2000 17:35:48 -0800 (PST) From: Kris Kennaway To: "Jordan K. Hubbard" Cc: Victor Salaman , freebsd-current@FreeBSD.org Subject: Re: openssl in -current In-Reply-To: <41481.951002195@zippy.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 19 Feb 2000, Jordan K. Hubbard wrote: > > It already does this if you get your crypto from internat. US mirror sites > > only carry the neutered (no-RSA) version, but internat carries RSA and > > builds it conditional on USA_RESIDENT. > > And why don't the USA sites have the RSAREF version? I'm still not > sure I understand the compartmentalization here. I meant they don't carry RSA cryptographic code. They carry the interface stubs which enable it to link against rsaref if present, and to use rsaref to provide the RSA crypto. Building with rsaref can't be the default case, because it's restrictively licensed and not legal for some people to use. > > 2) if you don't build with any sort of RSA (i.e. USA_RESIDENT == YES and > > you don't have the rsaref package installed) then you don't get > > include/rsa.h but get everything else "standard". > > It's this rsaref thing that's hanging me up. Why is it either on > or off vs on from location A or on from location B? If you do nothing, just build with the default sources or install the default binaries, you don't get any RSA. Similarly if you install the openssl-norsa package (e.g. if you want to revert from openssl-rsaref). If you install rsaref via port/package, and then rebuild, you'll get an rsaref-enabled openssl. If you install the openssl-rsaref package on a fresh system, it will pull in a dependency on rsaref and you get the same thing. This is what people who don't want to rebuild from sources, but who need RSA functionality (and pass the rsaref license) should do after installation (or during installation, if sysinstall would support it). The system should be prompting them to do this if they forget and try and install an openssl port which needs RSA (this is seemingly not working). It's really quite simple :-) > > Did you ever hear back from the lawyers about whether (and how) we can > > freely distribute openssl (and other stuff) from the US? Apart from that > > it does just reduce to the case of keeping the patent lawyers happy by > > keeping the patented code away from US people. > > The lawyers haven't been willing to say anything about this right now, > citing too large of a caseload to even begin untangling the Clinton > administration's current position. Okay, thanks. Kris ---- "How many roads must a man walk down, before you call him a man?" "Eight!" "That was a rhetorical question!" "Oh..then, seven!" -- Homer Simpson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message