[OE-core] [PATCH v4 0/3] zypper: support signed repositories
Steve Sakoman
sakoman at gmail.com
Wed Feb 1 14:34:59 UTC 2012
On Wed, Feb 1, 2012 at 3:13 AM, Koen Kooi <koen at dominion.thruhere.net> wrote:
>
> Op 1 feb. 2012, om 12:11 heeft Anders Darander het volgende geschreven:
>
>> * Steve Sakoman <sakoman at gmail.com> [120131 17:50]:
>>> On Mon, Jan 30, 2012 at 11:42 PM, Anders Darander <anders at chargestorm.se> wrote:
>>>> * Steve Sakoman <steve at sakoman.com> [120131 06:32]:
>>>>> On Mon, Jan 30, 2012 at 7:23 PM, Saul Wold <sgw at linux.intel.com> wrote:
>>>>>> On 01/30/2012 05:39 PM, Steve Sakoman wrote:
>>
>>>>>> I will wait to pull this until I hear back from you with another pull
>>>>>> request. Thanks for digging into this, better to get it solved now then
>>>>>> figure it out later that we missed a GPLv2 dependency.
>>
>>>>> I'll do a build with the libzypp RDEPENDS change and verify no issues,
>>>>> and then a test build with the gpg2 -> gpg change and verify that too.
>>
>>>>> If it works, then that patch should likely get bundled with the
>>>>> introduction of a GnuPG V1.4.10 recipe import from oe-classic.
>>
>>>> I think you'll have to modify the oe-classic recipe to use GnuPG v1.4.7,
>>>> as it seems that GnuPG was relicensed to GPLv3 in 1.4.8... At least that
>>>> was the conclusion I came to when I looked at this last summer.
>>>> (Unfortunately, I didn't have time to work through it).
>>
>>> This makes me wonder whether libzypp/zypper is an appropriate long
>>> term choice for those who want to avoid GPLv3.
>>
>>> The zypp project obviously made the choice to switch to GPLv3 years
>>> ago and it will be an ongoing problem to try to support old versions
>>> with GPLv2.
>>
>>> Perhaps yum would be a better choice for the GPLv3 averse, since IIRC
>>> it is still GPLv2.
>>
>> How does yum handle the signatures? Does it also do it using
>> gpg/gpg2-commands? If so, we would probably have the same problem with
>> yum as with libzypp/zypper. (Possible without having to patch gpg2 ->
>> gpg, but as they are quite compatible, that should be a minor issue). We
>> would still have problems using later GnuPG 1.4.x...
>>
>> Or is yum (or any other package manager) using GpgME? (The library
>> designed to make it easier for applications to interface with gpg). If
>> so, it should be OK, as gpgme is licensed under GPLv2(+?)
>
> And is yum a binary or a script? I'm in the 'statically linked package manager' camp, so switching to a script is only going to make me sad ;)
IIRC yum is a script. It would make me sad too, and that is why I
intend to stick with libzypp/zypper for rpm based images.
Steve
More information about the Openembedded-core
mailing list