Open genivia-inc opened 7 years ago
Thanks for your notification. In my opinion, it is not really necessary because we are using Apache for the https.
Hello,
I disagree. HTTPS alone is not sufficient to avoid this problem on the server side.
Robert
Dr. Robert van Engelen, CEO/CTO Genivia Inc. voice: (850) 270 6179 ext 104 fax: (850) 270 6179 mobile: (850) 264 2676 engelen@genivia.com
On Jul 17, 2017, at 2:15 PM, Jinpeng notifications@github.com wrote:
Thanks for your notification. In my opinion, it is not really necessary because we are using Apache for the https.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/JinpengLI/gsoap/issues/1#issuecomment-315836848, or mute the thread https://github.com/notifications/unsubscribe-auth/AMgno0-B1CujAaU7oAhleZ_uB_gX-q6lks5sO6SrgaJpZM4OaSpY.
I have a doubt, I use gSoap 2.8.8 version of wsdl2h generated onvif xsdanyType in the header file format for the framework of an _XML * any, and with gSoap2.8.49 version becomes an _XML any. Don't see the change in the version update records.
The _XML *__any uses an extra pointer that is not needed. This was later improved in updates.
You can download 2.8.8 from SourceForge with the patches applied, so you do not need to change your source code.
On Jul 18, 2017, at 12:01 AM, huguanghui notifications@github.com wrote:
I have a doubt, I use gSoap 2.8.8 version of wsdl2h generated onvif xsdanyType in the header file format for the framework of an _XML * any, and with gSoap2.8.49 version becomes an _XML any. Don't see the change in the version update records.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/JinpengLI/gsoap/issues/1#issuecomment-315951806, or mute the thread https://github.com/notifications/unsubscribe-auth/AMgnow6cob0nhGqhqGAVzwp48Nd27Lbiks5sPC4igaJpZM4OaSpY.
Hello Robert,
In short, as described in the description, the license of 2.8 requires open source during distribution. This is a potential problem with our projects.
Secondly, even you disagree, I didn't see the potential tls/ssl issue if I put gSOAP behind Apache; we have put many applications behind Apache. Apache not only supports https, but also supports secure WebSocket. Considering the deployment workload, all the tls/ssl configuration is centralized with Apache; there is no need to configure the tls/ssl for each application, e.g. gSOAP.
I am wondering if you are talking about vulnerability of OpenSSL CVE-2014-0160 (http://heartbleed.com/). The suggested solution is to upgrade OpenSSL on the server side to avoid using the vulnerable version of OpenSSL. So that all the packages which use OpenSSL can avoid this issue.
I add my college @Florent2305 of FLI-IAM in this thread since he firstly proposes to use gSOAP. If Florent is interested, Florent could give some opinions.
References: https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html https://stackoverflow.com/questions/26791107/websockets-wss-on-http-vs-wss-on-https
Best, Jinpeng Li, PhD Research Engineer in the projects CATI (http://cati-neuroimaging.com/) and FLI-IAM (https://project.inria.fr/fli/en/)
In short, as described in the description, the license of 2.8 requires open source during distribution. This is a potential problem with our projects.
I don’t know what you mean. Aren’t your projects on GitHub not open source already?
See here for info on the potential problem:
https://motherboard.vice.com/en_us/article/gybm4b/internet-of-things-camera-axis-bug https://motherboard.vice.com/en_us/article/gybm4b/internet-of-things-camera-axis-bug
Robert
Dr. Robert van Engelen, CEO/CTO Genivia Inc. voice: (850) 270 6179 ext 104 fax: (850) 270 6179 mobile: (850) 264 2676 engelen@genivia.com
On Jul 18, 2017, at 12:39 PM, Jinpeng notifications@github.com wrote:
Hello Robert,
In short, as described in the description, the license of 2.8 requires open source during distribution. This is a potential problem with our projects.
Secondly, even you disagree, I didn't see the potential tls/ssl issue if I put gSOAP behind Apache; we have put many applications behind Apache. Apache not only supports https, but also supports secure WebSocket. Considering the deployment workload, all the tls/ssl configuration is centralized with Apache; there is no need to configure the tls/ssl for each application, e.g. gSOAP.
I am wondering if you are talking about vulnerability of OpenSSL CVE-2014-0160 (http://heartbleed.com/ http://heartbleed.com/). The suggested solution is to upgrade OpenSSL on the server side to avoid using the vulnerable version of OpenSSL. So that all the packages which use OpenSSL can avoid this issue.
I add my college @Florent2305 https://github.com/florent2305 of FLI-IAM in this thread since he firstly proposes to use gSOAP. If Florent is interested, Florent could give some opinions.
References: https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html https://httpd.apache.org/docs/2.4/mod/mod_proxy_wstunnel.html https://stackoverflow.com/questions/26791107/websockets-wss-on-http-vs-wss-on-https https://stackoverflow.com/questions/26791107/websockets-wss-on-http-vs-wss-on-https Best, Jinpeng Li, PhD Research Engineer in the projects CATI (http://cati-neuroimaging.com/ http://cati-neuroimaging.com/) and FLI-IAM (https://project.inria.fr/fli/en/ https://project.inria.fr/fli/en/)
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/JinpengLI/gsoap/issues/1#issuecomment-316123286, or mute the thread https://github.com/notifications/unsubscribe-auth/AMgno_s5ntPeKV4VyjZSmpHv1NKuneFSks5sPN_cgaJpZM4OaSpY.
I am not an expert of open source license. If I understand correctly and remember correctly, it is because of "GPL v2"(2.8) instead of "GPL"(2.7). "GPL v2" requires all the depended packages opensource as well.
https://en.wikipedia.org/wiki/GNU_General_Public_License
Version 2
According to Richard Stallman, the major change in GPLv2 was the "Liberty or Death" clause, as he calls it[20] – Section 7. The section says that licensees may distribute a GPL-covered work only if they can satisfy all of the license's obligations, despite any other legal obligations they might have. In other words, the obligations of the license may not be severed due to conflicting obligations. This provision is intended to discourage any party from using a patent infringement claim or other litigation to impair users' freedom under the license.[20]
I am not sure if "GPL" requires depended packages opensource as well. I am working for non-commercial projects. I declare that my developed carmin_r2s (https://github.com/fli-iam/CARMIN_R2S
), which depends on the gsoap, is opensource as well. I don't see a problem of GPLv2 for my part. Therefore I feel free to update carmin_r2s with gsoap 2.8.
Jinpeng
Hello Jinpeng,
I hope your project is going well. I do not mean to be difficult, but I have to point out the vulnerability is critical and would not like to see your project suffer. Proper licensing and attribution is also critical.
Let me know if you need help with your project. The gsoap 2.8 upgrades should work fine, but there are some changes and improvements made over the years.
I am not sure if "GPL" requires depended packages opensource as well. I am working for non-commercial projects. I declare that my developed carmin_r2s (https://github.com/fli-iam/CARMIN_R2S), which depends on the gsoap, is opensource as well. I don't see a problem of GPLv2 for my part. Therefore I feel free to update carmin_r2s with gsoap 2.8.
This is correct. If you’re open sourcing the project under a license that is compatible with GPLv2 then there is no licensing issue.
Perhaps I misunderstood your statement "In short, as described in the description, the license of 2.8 requires open source during distribution. This is a potential problem with our projects.”, since that seems to contradict what you said in this email. Hence the confusion. It is important to have this cleared up.
The GPLv2 terms do require “compatibility” of the distribution license used with GPLv2. There are no obligations for internal use. But distribution under commercial licensing, meaning closed source, is not compatible with GPLv2. See also https://en.wikipedia.org/wiki/License_compatibility
I hope you’re happy with gsoap. Your can rate the project on SourceForge https://sourceforge.net/projects/gsoap2/ https://sourceforge.net/projects/gsoap2/ and I would much appreciate that. I am sure you want gsoap to be alive and kicking in the future and your support is helpful to keep me going. Genivia maintains gsoap and provides technical support with my assistance. I’m still the chief developer but get help with testing the software by staff and interns that are hired to assist with testing by implementing services such as AWS https://www.codeproject.com/Articles/1108296/How-to-Use-Amazon-Simple-Storage-Service-S-in-Cplu https://www.codeproject.com/Articles/1108296/How-to-Use-Amazon-Simple-Storage-Service-S-in-Cplu and EWS https://www.codeproject.com/Articles/1119224/How-to-Use-Exchange-Web-Service-in-Cplusplus-With https://www.codeproject.com/Articles/1119224/How-to-Use-Exchange-Web-Service-in-Cplusplus-With for example.
A lot of hard work goes into this!!
Thanks.
On Jul 24, 2017, at 4:35 PM, Jinpeng notifications@github.com wrote:
I am not an expert of open source license. If I understand correctly and remember correctly, it is because of "GPL v2"(2.8) instead of "GPL"(2.7). "GPL v2" requires all the depended packages opensource as well.
https://en.wikipedia.org/wiki/GNU_General_Public_License https://en.wikipedia.org/wiki/GNU_General_Public_License Version 2
According to Richard Stallman, the major change in GPLv2 was the "Liberty or Death" clause, as he calls it[20] – Section 7. The section says that licensees may distribute a GPL-covered work only if they can satisfy all of the license's obligations, despite any other legal obligations they might have. In other words, the obligations of the license may not be severed due to conflicting obligations. This provision is intended to discourage any party from using a patent infringement claim or other litigation to impair users' freedom under the license.[20] I am not sure if "GPL" requires depended packages opensource as well. I am working for non-commercial projects. I declare that my developed carmin_r2s (https://github.com/fli-iam/CARMIN_R2S), which depends on the gsoap, is opensource as well. I don't see a problem of GPLv2 for my part. Therefore I feel free to update carmin_r2s with gsoap 2.8.
Jinpeng
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/JinpengLI/gsoap/issues/1#issuecomment-317546300, or mute the thread https://github.com/notifications/unsubscribe-auth/AMgno17uviQMaedqYpR6b1MLqQyt9NONks5sRQAEgaJpZM4OaSpY.
Jinpeng,
I forgot to mention that the license change was not GPL to GPLv2, but the license change was to remove soapcpp2 from the gSOAP Public License (an MPL1.1 license) in 2.8. This makes soapcpp2 also covered under GPLv2 licensing just as wsdl2h was always covered under GPLv2 licensing. All gSOAP code has always been covered under the GPLv2. Some parts are also covered under the gSOAP Public License, such as the stdsoap2 library, which means that the stdsoap2 library can be used without GPLv2. The name “gSOAP Public License” should not be abbreviated as GPL to avoid confusion.
On Jul 24, 2017, at 4:35 PM, Jinpeng notifications@github.com wrote:
I am not an expert of open source license. If I understand correctly and remember correctly, it is because of "GPL v2"(2.8) instead of "GPL"(2.7). "GPL v2" requires all the depended packages opensource as well.
https://en.wikipedia.org/wiki/GNU_General_Public_License https://en.wikipedia.org/wiki/GNU_General_Public_License Version 2
According to Richard Stallman, the major change in GPLv2 was the "Liberty or Death" clause, as he calls it[20] – Section 7. The section says that licensees may distribute a GPL-covered work only if they can satisfy all of the license's obligations, despite any other legal obligations they might have. In other words, the obligations of the license may not be severed due to conflicting obligations. This provision is intended to discourage any party from using a patent infringement claim or other litigation to impair users' freedom under the license.[20] I am not sure if "GPL" requires depended packages opensource as well. I am working for non-commercial projects. I declare that my developed carmin_r2s (https://github.com/fli-iam/CARMIN_R2S), which depends on the gsoap, is opensource as well. I don't see a problem of GPLv2 for my part. Therefore I feel free to update carmin_r2s with gsoap 2.8.
Jinpeng
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/JinpengLI/gsoap/issues/1#issuecomment-317546300, or mute the thread https://github.com/notifications/unsubscribe-auth/AMgno17uviQMaedqYpR6b1MLqQyt9NONks5sRQAEgaJpZM4OaSpY.
Updated 2.8 versions of gsoap were released some time ago to ensure non-vulnerable OpenSSL TLS protocols are used and to fix a potential server-side vulnerability. Updating to the 2.8 releases is strongly recommended.