[Privoxy-devel] Improving Privoxy packages for Windows

Fabian Keil fk at fabiankeil.de
Sun Dec 13 04:31:26 UTC 2020 

Lee <ler762 at gmail.com> wrote on 2020-12-12:

> On 12/12/20, Fabian Keil <fk at fabiankeil.de> wrote:
> > Fabian Keil <fk at fabiankeil.de> wrote on 2020-11-19:
> >
> >> Lee <ler762 at gmail.com> wrote on 2020-11-18:

> >> It would be great if future Privoxy binaries for Windows would
> >> use a recent and dynamically-linked pcre version so we can finally
> >> ditch the obsolete pcre copy in git (TODO item #142).
> >>
> >> Once we have figured out how to ship Brotli and MbedTLS
> >> libraries adding another one is probably trivial.
> 
> I probably could have done better with the wording of my original message.
> I don't have a problem with shipping the libraries; building & linking
> them with Privoxy is where I fall down :(  If you recall, you had to
> help me with how to link privoxy with mbedtls.

I sort of have a problem with shipping libraries from third parties and
would prefer to avoid it where possible as avoiding it makes license
compliance easier.

> >> We can't use OpenSSL on Windows because the "special exception"
> >> from section 3 of the GPLv2 does not apply.
> 
> Not that it's ready for use, but how about OpenSSL v3?
> https://www.openssl.org/source/license.html
>   For the 3.0.0 release, and later releases derived from that, the
> Apache License v2 applies. This also applies to the git "master"
> branch.

Note that serious concerns have been raised about how the "relicensing"
was done. One relevant thread I remembered well enough to find it again is:
https://marc.info/?l=openbsd-tech&m=149028593819547&w=2

The OpenSSL people seem to have done the relicensing in
Jörg-Schilling style without contacting all the copyright
holders.

There's an OpenSSL blog post that says:
| So far, about 40% of the people have responded. For a project that
| is as old as OpenSSL (including its predecessor, SSLeay, it’s around 20 years)
| that’s not bad. We’ll be continuing our efforts over the next couple
| of months to contact everyone.
[...]
| The whattoremove script finds the users who refused, and all commits 
| they were named in.
https://www.openssl.org/blog/blog/2017/06/17/code-removal/

Note that it says "users who refused" and does not mention the
"users" who didn't respond at all.

Anyway ...

If we believe the OpenSSL people that they actually relicensed OpenSSL
to Apache license version 2 and didn't simply slap an invalid license
claim on top of it, we can treat it like MbedTLS releases later than
2.17 which are also supposed to be licensed under the Apache license
according to:
https://lists.trustedfirmware.org/pipermail/mbed-tls/2020-October/000213.html

To deal with that, the Privoxy copyright section in the user manual
which used to be simple and easy to understand now says:
| Privoxy is free software; you can redistribute and/or modify its source
| code under the terms of the GNU General Public License as published by
| the Free Software Foundation, either version 2 of the license,
| or (at your option) any later version.
|
| The same is true for Privoxy binaries unless they are linked with a
| mbed TLS version that is licensed under the Apache 2.0 license in
| which case you can redistribute and/or modify the Privoxy binaries
| under the terms of the GNU General Public License as published by
| the Free Software Foundation, either version 3 of the license,
| or (at your option) any later version.
|
| Both licenses are included in the next section.
https://www.privoxy.org/user-manual/copyright.html

We could simply amend the second paragraph to mention OpenSSL v3
as well and distribute the Privoxy binaries with the GPLv3 text.

> >> Many other free software projects cross-compile for Windows:
> >> https://www.gpg4win.org/build-installer-gnulinux.html
> >> https://gitweb.torproject.org/builders/tor-browser-build.git/tree/README
> >> https://wiki.videolan.org/Win32Compile/
> >>
> >> Maybe we should do this as well.
> >
> > Through the Emacs website I cam across MSYS2 today:
> > https://www.msys2.org/
> >
> > It seems to be a packaging system based on pacman (used by Arch Linux)
> > and they already package Brotli, pcre and MbedTLS:
> > https://packages.msys2.org/base
> >
> > Maybe we should try to get Privoxy into the MSYS2 distribution.
> 
> I can give it a try.

Awesome.

> > They don't seem to support older Windows versions but for
> > recent Windows versions it may be a good fit.
> 
> Microsoft doesn't support older Windows versions, so I don't see that
> as a problem.

I consider it acceptable as well.

Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20201213/385ea263/attachment-0001.bin>

More information about the Privoxy-devel mailing list