[OE-core] [PATCH V2 7/7] opkg-keyrings: New recipe

[Richard Tollerton]

Paul Barker <paul at paulbarker.me.uk> writes:

> On Tue, Feb 10, 2015 at 06:43:34PM -0600, Richard Tollerton wrote:
>> Paul Barker <paul at paulbarker.me.uk> writes:
>> 
>> > This recipe wraps package and package feed verification keys into a package,
>> > making the management and deployment of verification keys much easier. Comments
>> > on how to select keys for inclusion in this package are provided in the recipe
>> > file.
>> 
>> Would you be receptive to this package being extended to support OpenSSL
>> keys?
>
> I wouldn't advise it.
>
> There is no 'OpenSSL exception' in the opkg license and so a few people have
> been worried that shipping binaries of opkg linked against OpenSSL is a breach
> of the respective licenses. IANAL, but people have been concerned.

Do you recall if this is specifically because OpenSSL is statically
linked into libopkg? (Why is that done, anyway?)

> OpenSSL support is probably less tested than gpg support as well.
>
> However, if it's something you're already using, have tested and are comfortable
> with the licensing implications then go for it.

Meh. We've got some existing OpenSSL infrastructure for other operating
systems, so we were kinda sliding into an OpenSSL-based opkg setup by
sheer inertia. But if gnupg is going to align better with everybody else
long term, it's not too late to change directions.