[Pkg-clamav-devel] clamav 0.98.3 released

Fri May 9 21:31:28 UTC 2014

Hi,

On 09.05.2014 23:18, Sebastian Andrzej Siewior wrote:
> On 2014-05-09 22:41:44 [+0200], Andreas Cadhalpun wrote:
>> On 09.05.2014 22:01, Andreas Cadhalpun wrote:
>>> I'm currently looking at updating debian/copyright.
>>
>> I think we have a major problem here: None of clamav's reverse-dependencies
>> (c-icap-modules, dansguardian, havp, python-clamav) have an OpenSSL
>> exception.
>>
>> I have no clue about how to procede, now that clamav depends on openssl.
>>
>> Any ideas?
>>
>> Besides COPYING contains:
>>              REGARDING OPENSSL
>>
>>   In addition, as a special exception, the copyright holders give
>>   permission to link the code of portions of this program with the
>>   OpenSSL library under certain conditions as described in each
>>   individual source file, and distribute linked combinations
>>   including the two.
>>
>> I'm not sure, if this is a wide enough exception, particular as many files
>> (in the libclamav directory) include OpenSSL headers, but only a few (e.g.
>> crypto.c and crypto.h) have an OpenSSL exception in the file, as required by
>> above general notice. And even in those files this exception doesn't explain
>> the 'certain conditions', but is rather a copy of above notice.
>>
>> I'm no lawyer, but this seems to be problematic.
>
> This is just great. Why didn't they use gnutls / libgcrypto library?
> I've been lookin at reverting that openssl crypto patch, it looks like a
> big mess but I think mostly because even those which are unrelated. They
> also use the openssl code in 7z for instance. Not sure how much of this is
> okay.
> Mommy?

Maybe we could replace OpenSSL with gnutls?
 From the Changelog:
  * Replace in-house crypto code (md5, sha1, sha256 hashing algorithms) 
with calls to OpenSSL. This makes OpenSSL a required dependency for the 
engine.

I guess gnutls has quite similar functionality?
But I don't know, how difficult it would be to switch.

Best regards,
Andreas