This is the mail archive of the cygwin-apps@cygwin.com mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: Possible legal problem with ccrypt? [Was: Re: Pending PackagesList, 2004-02-13]

From: Nicholas Wourms <nwourms at netscape dot net>
To: cygwin-apps at cygwin dot com
Date: Sun, 22 Feb 2004 17:53:47 -0500
Subject: Re: Possible legal problem with ccrypt? [Was: Re: Pending PackagesList, 2004-02-13]
References: <20040213170003.12333.qmail@sources.redhat.com> <4035C6C2.40102@lapo.it> <4038F775.20503@gmx.net> <20040222190758.GA10086@redhat.com> <40391EAA.2000500@netscape.net> <20040222215448.GC10086@redhat.com>

cgf wrote:

On Sun, Feb 22, 2004 at 04:27:06PM -0500, Nicholas Wourms wrote:
cgf wrote:
On Sun, Feb 22, 2004 at 07:39:49PM +0100, Andreas Seidl wrote:
However, a new problem might have popped up. Reading this thread
http://www.cygwin.com/ml/cygwin/2004-02/msg01103.html
I wonder if there are legal problems for RedHat to distribute the ccrypt package?
Next time, please keep it to yourself.
I'm sure you wouldn't enjoy it if Red Hat was taken to task for
something that could have been caught early, decided that cygwin wasn't
worth the hassle, and pulled it from sources.redhat.com.

No, I wouldn't, but I didn't intend on that being the only statement. Consider this: The gpg which we distribute contains the *exact* same cipher, AES{128,192,256}, as ccrypt plus gpg also has twofish & blowfish. The last time I checked, those two were also considered "strong" encryption ciphers. Moreover, gpg can be used encrypt and decrypt streams like ccrypt so, in a sense, they share similar functionality. That's where I see the disconnect. Does this mean we should ditch gpg as well or distribute a version with < 128bit ciphers? Frankly, I don't see why we should disqualified ccrypt because someone "thinks" it might be a problem. Is it *really* a problem?

By his standard, RedHat has been breaking the law for years now, which leads me to conclude that either: A)The authorities don't care. B)Red Hat doesn't care. or C)RedHat already has filed the necessary paperwork to allow it to distribute binaries with strong encryption.

But, hey, thanks for clarifying just whom I can trust to be watching out
for the project's interests.

Hey, you certainly have a right to your opinion. The reality is that I was trying to paste some text and accidentally sent that message before it was complete. This reply contains some of the arguments I was planning on including in that message to debunk his theory. Oh well, that's all water under the bridge, believe what you want to believe... I suppose I'll never get a gold star now ;-).


Cheers,
Nicholas

[1] The output of `gpg --help`:
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA, ELG
Cipher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH
Hash: MD5, SHA1, RIPEMD160, SHA256
Compression: Uncompressed, ZIP, ZLIB

Follow-Ups:
- Re: Possible legal problem with ccrypt? [Was: Re: Pending Packages List, 2004-02-13]
  - From: Christopher Faylor

References:
- Pending Packages List, 2004-02-13
  - From: Daniel Reed
- Re: Pending Packages List, 2004-02-13
  - From: Lapo
- Possible legal problem with ccrypt? [Was: Re: Pending Packages List,2004-02-13]
  - From: Andreas Seidl
- Re: Possible legal problem with ccrypt? [Was: Re: Pending Packages List, 2004-02-13]
  - From: Christopher Faylor
- Re: Possible legal problem with ccrypt? [Was: Re: Pending PackagesList, 2004-02-13]
  - From: Nicholas Wourms
- Re: Possible legal problem with ccrypt? [Was: Re: Pending Packages List, 2004-02-13]
  - From: Christopher Faylor

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]