[OE-core] [PATCH v4 0/3] zypper: support signed repositories
Anders Darander
anders at chargestorm.se
Wed Feb 1 11:11:01 UTC 2012
* Steve Sakoman <sakoman at gmail.com> [120131 17:50]:
> On Mon, Jan 30, 2012 at 11:42 PM, Anders Darander <anders at chargestorm.se> wrote:
> > * Steve Sakoman <steve at sakoman.com> [120131 06:32]:
> >> On Mon, Jan 30, 2012 at 7:23 PM, Saul Wold <sgw at linux.intel.com> wrote:
> >> > On 01/30/2012 05:39 PM, Steve Sakoman wrote:
> >> > I will wait to pull this until I hear back from you with another pull
> >> > request. Thanks for digging into this, better to get it solved now then
> >> > figure it out later that we missed a GPLv2 dependency.
> >> I'll do a build with the libzypp RDEPENDS change and verify no issues,
> >> and then a test build with the gpg2 -> gpg change and verify that too.
> >> If it works, then that patch should likely get bundled with the
> >> introduction of a GnuPG V1.4.10 recipe import from oe-classic.
> > I think you'll have to modify the oe-classic recipe to use GnuPG v1.4.7,
> > as it seems that GnuPG was relicensed to GPLv3 in 1.4.8... At least that
> > was the conclusion I came to when I looked at this last summer.
> > (Unfortunately, I didn't have time to work through it).
> This makes me wonder whether libzypp/zypper is an appropriate long
> term choice for those who want to avoid GPLv3.
> The zypp project obviously made the choice to switch to GPLv3 years
> ago and it will be an ongoing problem to try to support old versions
> with GPLv2.
> Perhaps yum would be a better choice for the GPLv3 averse, since IIRC
> it is still GPLv2.
How does yum handle the signatures? Does it also do it using
gpg/gpg2-commands? If so, we would probably have the same problem with
yum as with libzypp/zypper. (Possible without having to patch gpg2 ->
gpg, but as they are quite compatible, that should be a minor issue). We
would still have problems using later GnuPG 1.4.x...
Or is yum (or any other package manager) using GpgME? (The library
designed to make it easier for applications to interface with gpg). If
so, it should be OK, as gpgme is licensed under GPLv2(+?)
Cheers,
Anders
--
Anders Darander
ChargeStorm AB / eStorm AB
More information about the Openembedded-core
mailing list