[OE-core] gnutls/nettle/gmp licensing and versions

Tue Aug 18 08:35:34 UTC 2015

On Thu, Aug 13, 2015 at 03:42:45PM +0300, Jussi Kukkonen wrote:
> On 12 August 2015 at 17:14, Jussi Kukkonen <jussi.kukkonen at intel.com> wrote:
> > Hi,
> >
> > I realise I'm a bit late (with the commit in master already) but I'm
> > looking at upgrading this recipe and had some questions on this patch
> > and the recipe in general.
> >
> > On 9 August 2015 at 08:28, Armin Kuster <akuster808 at gmail.com> wrote:
> >> adding the license definitions on the few packages that
> >> deviate from the overall package license.
> >>
> >> based on http://www.lysator.liu.se/~nisse/nettle/nettle.html#Copyright
> >> and spot checking files.
> >>
> >> Signed-off-by: Armin Kuster <akuster808 at gmail.com>
> >> ---
> >>  meta/recipes-support/nettle/nettle_2.7.1.bb | 9 +++++++++
> >>  1 file changed, 9 insertions(+)
> >>
> >> diff --git a/meta/recipes-support/nettle/nettle_2.7.1.bb b/meta/recipes-support/nettle/nettle_2.7.1.bb
> >> index f53afcc..f9d331f 100644
> >> --- a/meta/recipes-support/nettle/nettle_2.7.1.bb
> >> +++ b/meta/recipes-support/nettle/nettle_2.7.1.bb
> >> @@ -2,6 +2,15 @@ SUMMARY = "A low level cryptographic library"
> >>  HOMEPAGE = "http://www.lysator.liu.se/~nisse/nettle/"
> >>  SECTION = "libs"
> >>  LICENSE = "LGPLv2.1 & GPLv2"
> >
> > I think this is wrong, whichever version you look at -- our current
> > version is just "LGPLv2.1+", the current upstream release is "LGPLv3+
> > | GPLv2+"
> >
> > I'm going to send a patch upgrading the recipe to the current upstream
> > release (and setting license to "LGPLv3+ | GPLv2+"): it might seem
> > like this makes gnutls effectively LGPLv3 but that actually happened
> > last year with the gmp upgrade. Comments on this welcome.
> 
> Alexander just pointed out to me that there was a discussion on gnutls
> and nettle already in July (which I missed in my
> back-from-holiday-email-binge). It seems that the consensus was to
> preserve LGPLv2 versions.
> 
> This is what the current situation looks to me -- please correct if I'm wrong:
> * gmp is "GPLv2+ | LGPLv3+"
> * nettle is "LGPLv2.1+" but depends on gmp
> * gnutls "LGPLv2.1+" but depends on nettle
> 
> This effectively makes gnutls "GPLv2+ | LGPLv3+" as far as I can see.
> If we want to preserve a LGPLv2 gnutls, we need to bring back an older
> version of gmp (I think 4.2.1).

I agree, recently we had to downgrade gmp to 4.2.1 in our layer to pass
our license check. Similarly we had to check that all nettle libraries
used in our image are LGPLv2.1 not GPLv2.0 - that's why I've suggested
to package them separately, so that we'll see only LGPLv2.1 nettle
package in our image.

Regards,

> >> +LICENSE_${PN}-cast = "CC0"
> >> +LICENSE_${PN}-gosthash = "MIT"
> >> +
> >> +# both public and GPL license listed
> >> +LICENSE_${PN}-md2 = "CC0 & LGPLv2.1+"
> >> +LICENSE_${PN}-md4 = "CC0 & LGPLv2.1+"
> >
> > From the reference I had the impression this "LICENSE_something"
> > construct would imply there is a package "something". But the nettle
> > recipe does not produce "nettle-cast" or any of these. What is the
> > purpose here?
> >
> > Thanks,
> >  Jussi
> >
> >> +
> >> +
> >>  LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=2d5025d4aa3495befef8f17206a5b0a1 \
> >>                      file://serpent-decrypt.c;beginline=53;endline=67;md5=bcfd4745d53ca57f82907089898e390d \
> >>                      file://serpent-set-key.c;beginline=56;endline=70;md5=bcfd4745d53ca57f82907089898e390d"
> >> --
> >> 2.3.5
> >>
> >> --
> >> _______________________________________________
> >> Openembedded-core mailing list
> >> Openembedded-core at lists.openembedded.org
> >> http://lists.openembedded.org/mailman/listinfo/openembedded-core
> -- 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa at gmail.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20150818/f79e7dc6/attachment-0002.sig>