Re: LYNX-DEV SSL for Lynx 2.8

[Mark Mentovai]

On Sun, 8 Mar 1998, T.E.Dickey wrote:

> I did a test-build (haven't had time to see how to connect & run this,
> but that's nothing new...).  I noticed that the VMS scripts aren't there
> yet (the diffs are relatively small, so it should be easy to make those
> for 2.8).

That's right - the tar.gz, tar.Z, and full archive .zip (not just the
patch files) contain buildssl.com and libmakessl.com.  I didn't set it up
to overwrite or patch up the existing build.com or libmake.com - although
I could add this with ease.  Hmm...

> I'm a little puzzled:  there's nothing in the patches that imho should be
> restricted/secure since all of the work is done in the (not included)
> SSLeay library.  Can anyone explain why Fote didn't simply add the ifdef's
> to 2.7.2?

I asked the same question a long time ago.  I maintained that the hooks
alone contained no crytographic code themselves, merely the code used by
Lynx to hook it into the SSLeay library.  (Hence the name hooks.)  The
SSL-specific stuff is already inside #ifdef USE_SSL blocks, so it wouldn't
be hard at all to just supply Lynx with the patches intact and tell people
to define USE_SSL and set up the libraries appropriately in their
makefile.  I think some people that probably didn't understand what I was
saying yelled at me saying that I would be responsible for sending the
development team to prison, or something like that.  I don't believe them.
There was also another group of people who said that that couldn't be done
because the GPL prevented it.  Apparently, there's a clause in the GPL
that says something like if all features of a program are not available
internationally, they can't be included.  In my opinion, though, providing
the hooks to link to the SSL library would not be a breach of this -
people internationally -CAN- link to the SSL library - it's just important
to note that to stay legal, their SSL library must have the appropriate
RSA code for their locale.  SSL is an optional feature, so if people don't
want it, they won't get a crippled Lynx, but if they do, it's available to
everyone.  (Except citizens of France and probably a few other countries
with even stricter regulations than the US, where strong cryptography is
banned outright.  But we can't expect to have to limit the software's
functionality just because of a few repressive governments.  I'm not an
expert on the GPL, though...although if the GPL is being too restrictive, 
maybe it's time to distribute Lynx under a different license agreement.)

Maybe the best idea - at least for now - is to put something in the
installation document or the makefile, or both, that clearly sets forth
the whole idea behind SSL, how it can be added to Lynx, and where the
patches are obtainable.

-Mox

--
Mark Mentovai
address@hidden
http://www.moxienet.com/