DB design document

Christopher Browne cbbrowne@hex.net
Fri, 15 Dec 2000 21:47:20 -0600 

On 15 Dec 2000 18:29:12 EST, the world broke into rejoicing as
Derek Atkins <warlord@MIT.EDU>  said:
> FTR, Debian currently ships OpenSSL (at least in non-us).  So, if
> Debian is willing to ship it, I don't see the problem.  We are not
> creating a derivative work of OpenSSL, we would be using the OpenSSL
> library (which is not the definition of derivative work).
> 
> I can't believe that people are being so religious about free software
> that they aren't willing to use free software of another "flavor".  I
> suppose different people have different views of that "free" means,
> but I'm actually offended that people are willing to live without
> security (or with less security) due to religious beliefs about the
> definition of free.

The point is to start off by being careful so that there aren't
problems later.

A big chunk of the KDE "licensing war" arose from their assuming that
it was OK to mix together licenses that weren't _clearly_ compatible.
Throw in some "language zealots" that hate C++, and people with
paranoid fantasies about Troll Tech being "The Next Microsoft," and a
dollop of tabasco sauce, and you get the jolly gumbo of flamage that has
been seen over the last couple of years. Then throw in for good measure
that much of the KDE development was done in Germany, and that some of
the KDE folk were ready to claim defacto "standard" status, and the
opportunities to invoke Godwin's Law are just spectacular...

Now, for all that flameworthiness, it is important _not_ to lose sight
of the consideration that there was a _legitimate_ licensing question.
Just because some yahoos decided to flame KDE for _stupid_ reasons 
does not make that go away.

The GPL is _not_ compatible with "anything that anyone might _think_
reasonable," and so the software proposed for use with GnuCash _must_
be vetted to make sure that the licensing is compatible.

My reading of the OpenSSL license is that it _ought_ to be compatible
with that of GnuCash, so long as some care is taken to make sure that
it stays as a distinct library.  It would be sensible to link it
dynamically, which minimizes the connections.

> I'll take a look at other security solutions, but I will insist that
> security be linked into "networked-GnuCash", regardless of the actual
> security toolkit that we decide to use.

I would tend to think that the Right Solution is likely to network using
CORBA, and take advantage of the SSL integration that is under way.
That is currently Under Construction; hopefully available Real Soon Now.

The main point is that it would probably be more economical of time
to work on ORBit-ssl so it gets available faster than it is to build
something that largely replicates it, with the results of duplicated
effort and of pushing a whole lot of SSL details into GnuCash.
--
(concatenate 'string "cbbrowne" "@ntlug.org")
<http://www.hex.net/~cbbrowne/>
Do Roman paramedics refer to IV's as "4's"?