From owner-freebsd-security Tue Nov 12 14:52:36 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id OAA02270 for security-outgoing; Tue, 12 Nov 1996 14:52:36 -0800 (PST) Received: from skynet.ctr.columbia.edu (skynet.ctr.columbia.edu [128.59.64.70]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id OAA02258 for ; Tue, 12 Nov 1996 14:52:22 -0800 (PST) Received: (from wpaul@localhost) by skynet.ctr.columbia.edu (8.6.12/8.6.9) id RAA23543 for freebsd-security@freebsd.org; Tue, 12 Nov 1996 17:51:48 -0500 From: Bill Paul Message-Id: <199611122251.RAA23543@skynet.ctr.columbia.edu> Subject: Re: Secure RPC revisited To: freebsd-security@freebsd.org Date: Tue, 12 Nov 1996 17:51:47 -0500 (EST) X-Mailer: ELM [version 2.4 PL24] Content-Type: text Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Well, I got tired of wondering about how Redhat was able to ship Secure RPC with their distribution, so I asked them (via the 'feedback' selection on their web site). This is what they said: ---begin snippage: To: wpaul@ctr.columbia.edu Subject: Re: http://www.redhat.com/ In-reply-to: Your message of "Tue, 12 Nov 1996 19:16:32 GMT." <199611121916.TAA06823@www.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 12 Nov 1996 16:24:17 -0500 From: RHS Linux User Thank for your interest in Red Hat Software. The version of the RPC that we have on our Cds is licensed on the GNU and is therefore freely available and usable to all users. Best Regards Red Hat Software ----end snippage I think he's trying to say that their code is covered by the GNU copyleft (presumeably as part of their entire 'product' which in this case would be their Linux distribution). I don't think they can say that, since the SunRPC code is already copyrighted by Sun Microsystems. It also doesn't address the fact that the GNU copyleft offers no protection whatsoever against the (admittedly stupid) US export laws that forbid exporting DES code. I think I'm going to try to bump this along to the next idiot in the chain and see what they have to say about this. -Bill PS: Is there a non-US person around with a Redhat Linux CD-ROM set handy? If so, can you check to see whether your version of libc has Secure RPC and DES? (Do an 'nm /usr/lib/libc.a | grep des' and look for 'des_impl.o' which is the object that has the _des_crypt() function in it. If you see that, then you have DES. If you have 'auth_des.o' then you have Secure RPC.) I'm starting to wonder if maybe the Redhat people may have put their foot in it. -- ============================================================================= -Bill Paul (212) 854-6020 | System Manager, Master of Unix-Fu Work: wpaul@ctr.columbia.edu | Center for Telecommunications Research Home: wpaul@skynet.ctr.columbia.edu | Columbia University, New York City ============================================================================= "If you're ever in trouble, go to the CTR. Ask for Bill. He will help you." =============================================================================