On Friday 13 May 2005 06:09, Romain Beauxis wrote: > Le Vendredi 13 Mai 2005 12:18, vous avez écrit : > > I took a quick look at the code and found it may require DFSG actions. > > > > http://cvs.sourceforge.net/viewcvs.py/waste/waste/license.cpp?rev=1.1&v > >iew= auto that arrays are either the GPL license itself, backdoor code > > (who knows, I didn't try to decode it) or some hashes of something. > > > > To me it seems it violates the GPL, the source code is not in a > > changeable form. > > > > It is also a good place to hide backdoors when crackers get access the > > the source code repository... > > Yep, when I see that: > WASTE - license.cpp > Copyright (C) 2003 Nullsoft, Inc. > Copyright (C) 2004 WASTE Development Team > > Then that: > //ADDED Md5Chap - THIS PART IS GPL LICENSE!!! TOUCH AND DIE! > > Followed by a full binary only array, I feel it like you: it might be a > good place for a backdoor, given that TOUCH AND DIE seems very strange > refering to GPL licence... The license.cpp file creates a couple arrays, szGPL0 & szGPL1, which supposedly are a binary representation of the GPL license. However, no matter what they represent, it's not really an issue (for changing, or for "backdoors"), as nowhere in any of the rest of the code does anything reference those arrays. Probably a good idea to ask the upstream what's up with it, and have them remove or document it, but to make it out-of-the-question DFSG free, you could either ignore or remove these files with absolutely no ill effects to the program. (i.e. this is obvious via inspection, and just to be sure, I compiled it with the original code, and then with license.?pp deleted and #includes of the header removed from the three files it's referenced from, and got bit for bit binaries out). -- Wesley J. Landaker <wjl@icecavern.net> OpenPGP FP: 4135 2A3B 4726 ACC5 9094 0097 F0A9 8A4C 4CD6 E3D2
Attachment:
pgpKYMWD78AR4.pgp
Description: PGP signature