[Chicken-hackers] Re: Backdoor GPL in message-digest

[Kon Lovett]

On Aug 23, 2010, at 7:48 AM, Jim Ursetto wrote:

> Kon,
>
> The addition of the GPL-3 format-compiler-base to check-errors in SVN
> r19227 has tainted amb, apropos, box, directory-utils,
> err5rs-arithmetic, list-utils, locale, lookup-table, macosx, mailbox,
> message-digest, moremacros, multimethod, pandora,
> procedure-description, remote-mailbox, sqlite3, srfi-19, srfi-27,
> srfi-29, srfi-41, srfi-45, stack, string-utils, symbol-utils, and
> synch.

Assume a component of package A uses something that is GPL'ed, but no  
other component in that package uses the GPL tainted component (it is  
"just along for the ride"). Then all components of package A are  
tainted?

Doesn't this reasoning lead to the absurd conclusion that any software  
installation with a GPL'ed component somewhere is tainted? Or is it  
just the act of packaging? Then the Chicken svn repo is tainted since  
it can be delivered as a package?

Obviously I don't know what constitutes a "package" in this context.

> Primarily we are concerned about message-digest because it taints sha1
> and from there, qwiki and http-session.  For example, see
> http://tests.call-cc.org/2010/08/23/salmonella-report/dep-graphs/qwiki.png
> .
>
> We'd appreciate it if you would remove this dependency.

Done.

> Thanks,
> Jim

Best Wishes,
Kon

P.S. err5rs-arithmetic is not released & multimethod probably will  
never have a release.