[OE-core] [PATCH v4 0/3] zypper: support signed repositories
Koen Kooi
koen at dominion.thruhere.net
Wed Feb 1 11:13:58 UTC 2012
Op 1 feb. 2012, om 12:11 heeft Anders Darander het volgende geschreven:
> * Steve Sakoman <sakoman at gmail.com> [120131 17:50]:
>> On Mon, Jan 30, 2012 at 11:42 PM, Anders Darander <anders at chargestorm.se> wrote:
>>> * Steve Sakoman <steve at sakoman.com> [120131 06:32]:
>>>> On Mon, Jan 30, 2012 at 7:23 PM, Saul Wold <sgw at linux.intel.com> wrote:
>>>>> On 01/30/2012 05:39 PM, Steve Sakoman wrote:
>
>>>>> I will wait to pull this until I hear back from you with another pull
>>>>> request. Thanks for digging into this, better to get it solved now then
>>>>> figure it out later that we missed a GPLv2 dependency.
>
>>>> I'll do a build with the libzypp RDEPENDS change and verify no issues,
>>>> and then a test build with the gpg2 -> gpg change and verify that too.
>
>>>> If it works, then that patch should likely get bundled with the
>>>> introduction of a GnuPG V1.4.10 recipe import from oe-classic.
>
>>> I think you'll have to modify the oe-classic recipe to use GnuPG v1.4.7,
>>> as it seems that GnuPG was relicensed to GPLv3 in 1.4.8... At least that
>>> was the conclusion I came to when I looked at this last summer.
>>> (Unfortunately, I didn't have time to work through it).
>
>> This makes me wonder whether libzypp/zypper is an appropriate long
>> term choice for those who want to avoid GPLv3.
>
>> The zypp project obviously made the choice to switch to GPLv3 years
>> ago and it will be an ongoing problem to try to support old versions
>> with GPLv2.
>
>> Perhaps yum would be a better choice for the GPLv3 averse, since IIRC
>> it is still GPLv2.
>
> How does yum handle the signatures? Does it also do it using
> gpg/gpg2-commands? If so, we would probably have the same problem with
> yum as with libzypp/zypper. (Possible without having to patch gpg2 ->
> gpg, but as they are quite compatible, that should be a minor issue). We
> would still have problems using later GnuPG 1.4.x...
>
> Or is yum (or any other package manager) using GpgME? (The library
> designed to make it easier for applications to interface with gpg). If
> so, it should be OK, as gpgme is licensed under GPLv2(+?)
And is yum a binary or a script? I'm in the 'statically linked package manager' camp, so switching to a script is only going to make me sad ;)
regards,
Koen
More information about the Openembedded-core
mailing list