[sclug] sclug Digest, Vol 93, Issue 14

Graham Swallow lists at information-cascade.co.uk
Wed Jun 22 15:33:22 UTC 2011 

>> Squid can auth via digests and other methods, and all modern browsers
>> will support some of these options.  In order for squid to support ssl
>> you will need to recompile it yourself.  openssl is GPL rather LGPL this
>> makes it difficult for distros to supply pre-built binaries (the
>> downside of choosing an incompatible license for a library component)
>> nobody has yet ported the code to gnutls which is not encumbered by this
>> 'linking transfers license' clause .... well the openssl compatibility
>> layer is still GPL, to force migration to the LGPL gnutls apis which is
>> just a touch bitchy.
>>

NO NO NO NO NO openssl is not GPL

The original license is close to BSD,
do what you will, but keep claims/credits to EAY+FEW,
and you CANT 'simply' put under GPL,
and (as always) patents may apply, etc.

This actually causes people to think of problems with GPL use.
They think 'it is not a library that comes with the OS' so cannot be used in GPL
without special permission (eg on WIN32), but that is disingenuous,
at 'the whole of the internet' comes with the OS, and openSSL
is not in a hidden corner of the internet.

Since then, the openSSL project has adopted and adjusted it.
So there is a second BSD-like license.

----

Re your companies need for securty,
seems they want a series of projects with increasing cover,
and evaluations, until they find the cost/benefit sweet point.

I like the idea of VM's:

put the code on (subversion/GIT) in a DMZ
allocate each developer a VM-X11-desktop, where
iptables stops EVERYTHING except ... (checkout/vnc) ...
QEMU switches off EVERY port (that you can think of)
X11-VNC-server has all (extra facility) FTP switched off, maybe libvncserver
VNC is the only access to the VM-X11-desktop (with auth = ... )
put each developer on a REAL-desktop with VNC

Fundamentally, VNC uses pixel-bitmaps not text (except KBD and selection),
and is limited to the current screen (except X11-selection).

There might be several ways to break that,
(such as a port in QEMU you didnt think of, or access to the DMZ box),
my approach would be to make a tarball-NOT-compressed-base64
then page that, taking VNC snapshots, then OCR it.
I would need a VNC program to automate the PgDn-Snapshot-loop.
It cant simply be compressed, as a single loss, would lose the tail of
the stream,
but re-syncing every file or megabyte of the tarball would allow compression.

Then focus on the REAL-developer-VNC boxes,
and evaluate the loss of small screenshots, -vs- wholesale bulk loss of tree.
Copy+Paste is probably needed in (and out), evaluate that.

Graham

More information about the Sclug mailing list