[OE-core] [PATCH v4 0/3] zypper: support signed repositories
Steve Sakoman
sakoman at gmail.com
Wed Feb 1 14:33:23 UTC 2012
On Wed, Feb 1, 2012 at 3:11 AM, Anders Darander <anders at chargestorm.se> wrote:
> * Steve Sakoman <sakoman at gmail.com> [120131 17:50]:
>> On Mon, Jan 30, 2012 at 11:42 PM, Anders Darander <anders at chargestorm.se> wrote:
>> > * Steve Sakoman <steve at sakoman.com> [120131 06:32]:
>> >> On Mon, Jan 30, 2012 at 7:23 PM, Saul Wold <sgw at linux.intel.com> wrote:
>> >> > On 01/30/2012 05:39 PM, Steve Sakoman wrote:
>
>> >> > I will wait to pull this until I hear back from you with another pull
>> >> > request. Thanks for digging into this, better to get it solved now then
>> >> > figure it out later that we missed a GPLv2 dependency.
>
>> >> I'll do a build with the libzypp RDEPENDS change and verify no issues,
>> >> and then a test build with the gpg2 -> gpg change and verify that too.
>
>> >> If it works, then that patch should likely get bundled with the
>> >> introduction of a GnuPG V1.4.10 recipe import from oe-classic.
>
>> > I think you'll have to modify the oe-classic recipe to use GnuPG v1.4.7,
>> > as it seems that GnuPG was relicensed to GPLv3 in 1.4.8... At least that
>> > was the conclusion I came to when I looked at this last summer.
>> > (Unfortunately, I didn't have time to work through it).
>
>> This makes me wonder whether libzypp/zypper is an appropriate long
>> term choice for those who want to avoid GPLv3.
>
>> The zypp project obviously made the choice to switch to GPLv3 years
>> ago and it will be an ongoing problem to try to support old versions
>> with GPLv2.
>
>> Perhaps yum would be a better choice for the GPLv3 averse, since IIRC
>> it is still GPLv2.
>
> How does yum handle the signatures? Does it also do it using
> gpg/gpg2-commands? If so, we would probably have the same problem with
> yum as with libzypp/zypper. (Possible without having to patch gpg2 ->
> gpg, but as they are quite compatible, that should be a minor issue). We
> would still have problems using later GnuPG 1.4.x...
I don't know what yum does, and to be honest I'm not too motivated to find out!
I'm happy with zypp/zypper and that is the reason for jumping through
hoops to get full support for signed repositories :-)
Yum was merely mentioned as an option for those who can't deal with GPLv3.
> Or is yum (or any other package manager) using GpgME? (The library
> designed to make it easier for applications to interface with gpg). If
> so, it should be OK, as gpgme is licensed under GPLv2(+?)
No idea on this one either!
Steve
More information about the Openembedded-core
mailing list