[OE-core] gnutls/nettle/gmp licensing and versions

Jussi Kukkonen jussi.kukkonen at intel.com
Fri Aug 21 12:15:13 UTC 2015 

On 18 August 2015 at 11:35, Martin Jansa <martin.jansa at gmail.com> wrote:
> On Thu, Aug 13, 2015 at 03:42:45PM +0300, Jussi Kukkonen wrote:
>> On 12 August 2015 at 17:14, Jussi Kukkonen <jussi.kukkonen at intel.com> wrote:
>> > Hi,
>> >
>> > I realise I'm a bit late (with the commit in master already) but I'm
>> > looking at upgrading this recipe and had some questions on this patch
>> > and the recipe in general.
>> >
>> > On 9 August 2015 at 08:28, Armin Kuster <akuster808 at gmail.com> wrote:
>> >> adding the license definitions on the few packages that
>> >> deviate from the overall package license.
>> >>
>> >> based on http://www.lysator.liu.se/~nisse/nettle/nettle.html#Copyright
>> >> and spot checking files.
>> >>
>> >> Signed-off-by: Armin Kuster <akuster808 at gmail.com>
>> >> ---
>> >>  meta/recipes-support/nettle/nettle_2.7.1.bb | 9 +++++++++
>> >>  1 file changed, 9 insertions(+)
>> >>
>> >> diff --git a/meta/recipes-support/nettle/nettle_2.7.1.bb b/meta/recipes-support/nettle/nettle_2.7.1.bb
>> >> index f53afcc..f9d331f 100644
>> >> --- a/meta/recipes-support/nettle/nettle_2.7.1.bb
>> >> +++ b/meta/recipes-support/nettle/nettle_2.7.1.bb
>> >> @@ -2,6 +2,15 @@ SUMMARY = "A low level cryptographic library"
>> >>  HOMEPAGE = "http://www.lysator.liu.se/~nisse/nettle/"
>> >>  SECTION = "libs"
>> >>  LICENSE = "LGPLv2.1 & GPLv2"
>> >
>> > I think this is wrong, whichever version you look at -- our current
>> > version is just "LGPLv2.1+", the current upstream release is "LGPLv3+
>> > | GPLv2+"
>> >
>> > I'm going to send a patch upgrading the recipe to the current upstream
>> > release (and setting license to "LGPLv3+ | GPLv2+"): it might seem
>> > like this makes gnutls effectively LGPLv3 but that actually happened
>> > last year with the gmp upgrade. Comments on this welcome.
>>
>> Alexander just pointed out to me that there was a discussion on gnutls
>> and nettle already in July (which I missed in my
>> back-from-holiday-email-binge). It seems that the consensus was to
>> preserve LGPLv2 versions.
>>
>> This is what the current situation looks to me -- please correct if I'm wrong:
>> * gmp is "GPLv2+ | LGPLv3+"
>> * nettle is "LGPLv2.1+" but depends on gmp
>> * gnutls "LGPLv2.1+" but depends on nettle
>>
>> This effectively makes gnutls "GPLv2+ | LGPLv3+" as far as I can see.
>> If we want to preserve a LGPLv2 gnutls, we need to bring back an older
>> version of gmp (I think 4.2.1).
>
> I agree, recently we had to downgrade gmp to 4.2.1 in our layer to pass
> our license check. Similarly we had to check that all nettle libraries
> used in our image are LGPLv2.1 not GPLv2.0 - that's why I've suggested
> to package them separately, so that we'll see only LGPLv2.1 nettle
> package in our image.

Reading the commit log, it looks like gmp 4.2.1 was removed by
accident (the license problem was not understood at the time).
I've filed https://bugzilla.yoctoproject.org/show_bug.cgi?id=8197 for
this issue: we can continue there.

Bringing back 4.2.1 seems like the least worst option: if you have a
useful patch (other than just a revert of the removal), please let me
know.

Cheers,
 Jussi

>
> Regards,
>
>> >> +LICENSE_${PN}-cast = "CC0"
>> >> +LICENSE_${PN}-gosthash = "MIT"
>> >> +
>> >> +# both public and GPL license listed
>> >> +LICENSE_${PN}-md2 = "CC0 & LGPLv2.1+"
>> >> +LICENSE_${PN}-md4 = "CC0 & LGPLv2.1+"
>> >
>> > From the reference I had the impression this "LICENSE_something"
>> > construct would imply there is a package "something". But the nettle
>> > recipe does not produce "nettle-cast" or any of these. What is the
>> > purpose here?
>> >
>> > Thanks,
>> >  Jussi
>> >
>> >> +
>> >> +
>> >>  LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=2d5025d4aa3495befef8f17206a5b0a1 \
>> >>                      file://serpent-decrypt.c;beginline=53;endline=67;md5=bcfd4745d53ca57f82907089898e390d \
>> >>                      file://serpent-set-key.c;beginline=56;endline=70;md5=bcfd4745d53ca57f82907089898e390d"
>> >> --
>> >> 2.3.5
>> >>
>> >> --
>> >> _______________________________________________
>> >> Openembedded-core mailing list
>> >> Openembedded-core at lists.openembedded.org
>> >> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core at lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
> --
> Martin 'JaMa' Jansa     jabber: Martin.Jansa at gmail.com

More information about the Openembedded-core mailing list