lynx-dev Re: Question about Lynx and SSL

[David Woolley]

> I'm on a project where the client wants to have our internet application
> supported by Lynx on various platforms including, Unix, Linux, Win 95, 98, NT,

Sounds like commercial use.

> and Win 2000.  I'm looking for binary files for Lynx that contain SSL support.
> I have seen on various websites installation instructions on how to implement
> the patch for SSL,but I'd prefer to find a site with the binaries.

SSL depends on RSA.  RSA is patented.  Software is patentable in the
USA and some other countries have agreed to honour US software patents
(not Europe, but there is pressure being applied).  The RSA patent
holders require royalties to be paid for commercial use.

Lynx is licensed under the GPL and only the GPL.  Clause 7 of that licence
voids the licence if royalties would be have to be paid for any
possible distribution.  There is therefore no valid licence under which
SSL Lynx can be distributed in the USA, or any other country which respects
US software patents++ - i.e. SSL Lynx is pirate software when redistributed,
although not when created from source, by the end user.

Clause 8 allows a partial let out, which basically allows a work created
in a country which doesn't have intellectual property conflicts to be
distributed under a clause which forbids distribution to ones with the
conflict, e.g. a UK developer could probably (IANAL) create an GPLed
SSL implementation, but would have to forbid distribution to the USA,
Japan, etc.  The wording doesn't appear to allow clause 8 to a derived
work of a work which did not already have it applied.

I WOULD STRONGLY ADVISE YOU TO GET PROFESSIONAL LEGAL ADVICE, ESPECIALLY
IF YOU ARE IN THE USA, AS INDICATED BY YOUR TIMEZONE, ALTHOUGH ac.com
ALSO HAS OFFICES IN THE UK.  It is possible that you could create an
SSL Lynx for your client if you are acting as their agent, rather than
their supplier, but you *should* confirm that with your legal adviser.
You cannot follow the standard US instructions (OpenSSL + RSAREF) as
RSAREF may not be used commercially.  Obviously you cannot follow the
non-US instructions (pure OpenSSL), within the US, as that would violate
the patent.

There is no single "legal" or natural person that owns the copyright on
Lynx, so negotiating an alternative licence is likely to be inpracticable.

The RSA patents expires quite soon.

There are proxies that will apply SSL to to proxied https (i.e. not the
normal CONNECT method proxy, but a GET or POST, etc., with an https:
URL).

++ and, unless clause 8 can be applied to a derived work, the licence is
also void in every other country.