[Savannah-hackers] Evaluation: kit

[Hugo Gayosso]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Summary:  (includes answer from Eben Moglen)

kit
===

Received    : 02 Apr 2001
Requested by: Savannah <address@hidden>

Author     :  <address@hidden>

Homepage   :  <http://www.abelsson.com/kit/>
Source     :  <http://www.abelsson.com/kit/kitserver-0.1.1.tar.gz>
              <http://www.abelsson.com/kit/kitclient-0.1.1.tar.gz>
              <http://sourceforge.net/cvs/?group_id=25799>

Evaluator   : Moritz Tacke <address@hidden>

Started     : 20 Apr 2001
Completed   : 14 Jul 2001
Filename    : kit

Description:

Keep in touch is an attempt to create a secure instant messenger - it
supports its own XML based protocol aswell as ICQ and AIM (Adding new
protocols i.e. jabber is mostly a question of implementing the protocol
itself - the client has a good framework for multiple protocols). The
goal of the project is to allow uses to communicate sensitive issues
securely without having to worry about their data being intercepted by
an attacker.

Comments:

<address@hidden>:
The reason for doing yet another project (actually, it predates most -
but it&#039;s been laying dormant for quite some time) is that bolted on
security as an afterthought rarely creates a secure enough
system. It&#039;s written entirely using C++ and only depends on code
that is GPLed or freeer. The architecture is fairly extensible and
it&#039;s reasonably easy to add new modules. It could possibly be used
as a foundation for the GNU GLUE project, if it seems reasonable to do
so to the people involved in that project.

Current status is that basic messaging aswell as presence detection for
all 3 supported protocols is working, but more advanced features (aswell
as implementation of security features) needs to be worked on.

[...]

There's a couple of evil things that kit does (to save you the time of
discovering them yourselves)

* It depends on the horrible Qt toolkit (soon the gui will be cleanly
abstracted away from the protocol implementation, so alternative
frontends could be written without too much pain).
* It's poorly documented. Read: hardly anything.
* Written in C++. While not that evil in itself, C might have been
nicer.
* Client code is fairly messy, the server is a bit better.
* Only database plugin written yet is for mysql.
* Doesnt interact with the rest of the system much.
* Client isnt a proper autoconf/automake package (i used an
automatically generated template from kdevelop after i couldnt get
automake to work reliably with Qt myself)
* No command line interface(s).
* No config file implemented for server - lot of values are hardcoded.

KiT uses free software, but it's not the "usual" gnu set of free
software. Qt vs GTK+ and mySQL vs PostgreSQL. Different databases is
very easy to support (you dont even need to recompile the server) but the
client is fairly dependant on Qt still - even the parts that arent
directly GUI related. But like i said above.. it's my firm intention to
fix that and separate the GUI and code. (it's the Right Thing)

Please use the tarballs to try kit and the the CVS version to evaluate
what it will become - they're pretty different. :)

BTW, kit has recently been renamed kim and merged with another similar
project, but all the developers are commited to joining the gnu project
- - that is, if you want it.


<address@hidden> :

I believe the present state of US law is that most crypto that is "open
source" can be exported, as long as _someone_ notifies the right US
authorities and a copy of the source code is filed in various places.
So, the most common free crypto implementations are all now OK to
export.

I'm not sure how to check whether a particular library is exportable.
I'll ask around and try to get back to the list.  In this particular
case, you might try asking the authors.

                                   Brian Youmans
                                   FSF Office Staff


Here is the answer which I received from Eben Moglen, who is essentially
the FSF's 'general counsel'.  His answer is a response to my message, which
is at the bottom.

If someone gives me an answer to Eben's question, I will relay it to Eben.
(I don't want to give out Eben's email freely - he is a valuable resource
for us, and I don't want to give out his email to more folks without asking 
him.)

- - Brian Youmans, FSF office staff
- -----------------------------------------------------------------------------

The general answer is yes.  GPL'd cryptographic software, which is
always distributed wth source code, should under current regulations
be exportable to all except the seven countries on the US quarantine
list regardless of cryptographic strength and key length.  If we have
not previously reviewed crypto++ and there are reasons that make it
special from a cryptographic point of view, I would want to know about
them before making a final decision.  What package depends on crypto++
and what does crypto++ do?

On Tuesday, 8 May 2001, Incoming FSF orders for 59 Temple Place wrote:

  This is not in reference to a package that we distribute, but to a
  package that we were evaluating for inclusion in our distribution,
  that _depends_ on an outside crypto package called crypto++.

  Naturally, we don't want our software to depend on a package that is
  non-exportable.

  So, basically, our position is that any crypto is exportable as long
  as it is publicly available by ftp or http?

  - Brian Youmans, FSF office staff


====================



From: Moritz Tacke <address@hidden>
Subject: evaluation of kit
To: <address@hidden>
Date: Sat, 14 Jul 2001 19:23:21 +0200 (CEST)


GNU Software Evaluation
- -- ---------------------------------------------------

I. Package description

 -Package name and version:

 kitclient-0.1.1
 kitserver-0.1.1

 -Author:

Henrik Abelsson <address@hidden>

 -Should the authors(s) be contacted? (Yes/No):

Yes

 -Home page:

www.abelsson.com/kit

 -Distribution site:

 www.abelsson.com/kit

 -Describe in your own words what job or jobs this program does.

The Client is a client for the instant messaging protocols icq, aim,
and kit which is the real new thing.
The server is a server for the kit protocol which is a xml-based
secure im protocol.

The software is to be replaced by a totally new coded one which will
have important differences to this version (and a new name, "kim"),
thus I think that this software itself isn't that important; the
question is whether or not to support a new IM protocol.


 -Binaries available: Y/N

 Y

 -GNU/Linux support? Y/N

 Y

 -License:               (specify type - any problems?)

GPL

II. Package specifics

 -Dependencies:             (ok/problematic + notes)

 mysql (only the server) (to be changed with the new software, then,
                          other databases should be usable as well
                          without changing the code)

 qt     (to be replaced)

 crypto++, which is a encryption library for c++; find the license
attached. The problem here might be the exportability clause (US law
problems...), but I got it from an Austrian mirror (and therefore
didn't export it from the US?)

 -Configuration:            (GNU coding standards compliant? Y/N)

Y

 -Compilation:              (GNU coding standards compliant? Y/N)

Y

 -Usability/interface:      (ok/problematic + notes)
   This is a very important issue.
   (For a C++ library, one important issue is, can it be used from C?)

Good

  -What languages is the program written in.

C++

 -Code clarity/maintenance: (ok/problematic + notes)
   Skim a few header files and a few source files.
   Can you understand each part, at least in the large,
   from the comments there?

ok, but to be replaced by the new version...

  -Performance:              (ok/problematic + notes)

ok

 -Documentation:
    -- Is there a good intro?

No

    -- Is there a good reference?

No. There are some hints avout how to install and configure the server
and the database.

 -Does the program recommend or encourage the use of any non-free
  software?

No

 -Does it have have certain capabilities that can only be used in
  conjunction with some non-free software package?


No, if the software running on the ICQ, AIM - servers doesn't count.


III. Evaluation summary

 -Does the program fit coherently within the GNU system?

As I mentioned before, the question is not about this software which
is going to be replaced soon, it's about the protocol: Does supporting
a totally new -secure- IM Protocol make sense? I don't really
know. Jabber seems to be similar to kit (it supports SSL), but jabber
isn't GPLed - it uses its own license which is similar to the mozilla license.



 -Does the program meet necessary requirements for being
  a GNU package?  If not, can changes be feasibly implemented
  by the author in order for the program to be acceptable?

    = propose suggested changes

The program is already subject to major changes (a replacement)


 -Are there any licensing issues that need to be resolved?

I don't know about the crypto++-License. Find it attached.

 -Is there a large overlap with some other GNU package?
  An overlap is when two programs have substantial
  functionality in common, but neither one entirely
  subsumes the other.  (Such overlap is undesirable.)

There are Gnome programs which implement the ICQ, AIM and Jabber
protocols, as well as the kitclient does. But if the question is about
accepting the protocol: No, as far as I know

 -Is the program free of gratuitous incompatibilities with other GNU
  packages?

  No because it implements a new protocol.

===========================
crypto++    License


(Please note this license only applies to version 4.1 or later. Earlier
versions are covered under a slightly more restrictive license.)

Compilation Copyright (c) 1995-2001 by Wei Dai.  All rights reserved.
This copyright applies only to this particular software distribution 
package, and does not imply a copyright on any particular file in 
the library.

All files in this library except the following are placed in
the public domain by Wei Dai and other contributers.

The following files are copyrighted by their respective original authors.

haval.cpp - Copyright 1992 Yuliang Zheng.
idea.cpp - Copyright 1992 Colin Plumb.
mars.cpp - Copyright 1998 Brian Gladman.
md2.cpp - Copyright 1994, 1995 Sun Microsystems, Inc.
serpent.cpp - Copyright 1998, 1999 Brian Gladman and Sam Simpson.

Permission to use, copy, modify, and distribute this compilation for
any purpose, including commercial applications, is hereby granted
without fee, subject to the following restrictions:

1. Any copy or modification of this compilation in any form, except
in object code form as part of an application software, must include
the above copyright notice and this license.

2. Users of this software agree that any modification or extension
they provide to Wei Dai will be considered public domain and not
copyrighted unless it includes an explicit copyright notice.

3. Wei Dai makes no warranty or representation that the operation of the
software in this compilation will be error-free, and Wei Dai is under no
obligation to provide any services, by way of maintenance, update, or
otherwise.  THE SOFTWARE AND ANY DOCUMENTATION ARE PROVIDED "AS IS"
WITHOUT EXPRESS OR IMPLIED WARRANTY INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT WILL WEI DAI OR ANY OTHER CONTRIBUTOR BE LIABLE FOR
DIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, EVEN IF
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

4. Users will not use Wei Dai or any other contributor's name in any 
publicity or advertising, without prior written consent in each case.

5. Export of this software from the United States may require a
specific license from the United States Government.  It is the
responsibility of any person or organization contemplating export
to obtain such a license before exporting.

6. Certain parts of this software may be protected by patents.  It
is the users' responsibility to obtain the appropriate
licenses before using those parts.

If this compilation is used in object code form in an application
software, acknowledgement of the author is not required but would be
appreciated. The contribution of any useful modifications or extensions
to Wei Dai is not required but would also be appreciated.


- -- 
Hugo Gayosso
GNU Software Evaluators
Coordinator

http://www.gnu.org
http://wildebeest.myip.org/~gnu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7UP15MNObVRBZveYRAmlCAJ9C9IxyX0A5zRWKvVW27GxsLP3EWACdHPfp
gWDkD+jj0e6lRVq6cg0o3Ag=
=+h21
-----END PGP SIGNATURE-----