gnutls/nettle/gmp licensing and versions

gnutls/nettle/gmp licensing and versions

[Jussi Kukkonen]

On 12 August 2015 at 17:14, Jussi Kukkonen <jussi.kukkonen@intel.com> wrote:
> Hi,
>
> I realise I'm a bit late (with the commit in master already) but I'm
> looking at upgrading this recipe and had some questions on this patch
> and the recipe in general.
>
> On 9 August 2015 at 08:28, Armin Kuster <akuster808@gmail.com> wrote:
>> adding the license definitions on the few packages that
>> deviate from the overall package license.
>>
>> based on http://www.lysator.liu.se/~nisse/nettle/nettle.html#Copyright
>> and spot checking files.
>>
>> Signed-off-by: Armin Kuster <akuster808@gmail.com>
>> ---
>>  meta/recipes-support/nettle/nettle_2.7.1.bb | 9 +++++++++
>>  1 file changed, 9 insertions(+)
>>
>> diff --git a/meta/recipes-support/nettle/nettle_2.7.1.bb b/meta/recipes-support/nettle/nettle_2.7.1.bb
>> index f53afcc..f9d331f 100644
>> --- a/meta/recipes-support/nettle/nettle_2.7.1.bb
>> +++ b/meta/recipes-support/nettle/nettle_2.7.1.bb
>> @@ -2,6 +2,15 @@ SUMMARY = "A low level cryptographic library"
>>  HOMEPAGE = "http://www.lysator.liu.se/~nisse/nettle/"
>>  SECTION = "libs"
>>  LICENSE = "LGPLv2.1 & GPLv2"
>
> I think this is wrong, whichever version you look at -- our current
> version is just "LGPLv2.1+", the current upstream release is "LGPLv3+
> | GPLv2+"
>
> I'm going to send a patch upgrading the recipe to the current upstream
> release (and setting license to "LGPLv3+ | GPLv2+"): it might seem
> like this makes gnutls effectively LGPLv3 but that actually happened
> last year with the gmp upgrade. Comments on this welcome.

Alexander just pointed out to me that there was a discussion on gnutls
and nettle already in July (which I missed in my
back-from-holiday-email-binge). It seems that the consensus was to
preserve LGPLv2 versions.

This is what the current situation looks to me -- please correct if I'm wrong:
* gmp is "GPLv2+ | LGPLv3+"
* nettle is "LGPLv2.1+" but depends on gmp
* gnutls "LGPLv2.1+" but depends on nettle

This effectively makes gnutls "GPLv2+ | LGPLv3+" as far as I can see.
If we want to preserve a LGPLv2 gnutls, we need to bring back an older
version of gmp (I think 4.2.1).


>> +LICENSE_${PN}-cast = "CC0"
>> +LICENSE_${PN}-gosthash = "MIT"
>> +
>> +# both public and GPL license listed
>> +LICENSE_${PN}-md2 = "CC0 & LGPLv2.1+"
>> +LICENSE_${PN}-md4 = "CC0 & LGPLv2.1+"
>
> From the reference I had the impression this "LICENSE_something"
> construct would imply there is a package "something". But the nettle
> recipe does not produce "nettle-cast" or any of these. What is the
> purpose here?
>
> Thanks,
>  Jussi
>
>> +
>> +
>>  LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=2d5025d4aa3495befef8f17206a5b0a1 \
>>                      file://serpent-decrypt.c;beginline=53;endline=67;md5=bcfd4745d53ca57f82907089898e390d \
>>                      file://serpent-set-key.c;beginline=56;endline=70;md5=bcfd4745d53ca57f82907089898e390d"
>> --
>> 2.3.5
>>
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: gnutls/nettle/gmp licensing and versions

[Martin Jansa]

[-- Attachment #1: Type: text/plain, Size: 4011 bytes --]

On Thu, Aug 13, 2015 at 03:42:45PM +0300, Jussi Kukkonen wrote:
> On 12 August 2015 at 17:14, Jussi Kukkonen <jussi.kukkonen@intel.com> wrote:
> > Hi,
> >
> > I realise I'm a bit late (with the commit in master already) but I'm
> > looking at upgrading this recipe and had some questions on this patch
> > and the recipe in general.
> >
> > On 9 August 2015 at 08:28, Armin Kuster <akuster808@gmail.com> wrote:
> >> adding the license definitions on the few packages that
> >> deviate from the overall package license.
> >>
> >> based on http://www.lysator.liu.se/~nisse/nettle/nettle.html#Copyright
> >> and spot checking files.
> >>
> >> Signed-off-by: Armin Kuster <akuster808@gmail.com>
> >> ---
> >>  meta/recipes-support/nettle/nettle_2.7.1.bb | 9 +++++++++
> >>  1 file changed, 9 insertions(+)
> >>
> >> diff --git a/meta/recipes-support/nettle/nettle_2.7.1.bb b/meta/recipes-support/nettle/nettle_2.7.1.bb
> >> index f53afcc..f9d331f 100644
> >> --- a/meta/recipes-support/nettle/nettle_2.7.1.bb
> >> +++ b/meta/recipes-support/nettle/nettle_2.7.1.bb
> >> @@ -2,6 +2,15 @@ SUMMARY = "A low level cryptographic library"
> >>  HOMEPAGE = "http://www.lysator.liu.se/~nisse/nettle/"
> >>  SECTION = "libs"
> >>  LICENSE = "LGPLv2.1 & GPLv2"
> >
> > I think this is wrong, whichever version you look at -- our current
> > version is just "LGPLv2.1+", the current upstream release is "LGPLv3+
> > | GPLv2+"
> >
> > I'm going to send a patch upgrading the recipe to the current upstream
> > release (and setting license to "LGPLv3+ | GPLv2+"): it might seem
> > like this makes gnutls effectively LGPLv3 but that actually happened
> > last year with the gmp upgrade. Comments on this welcome.
> 
> Alexander just pointed out to me that there was a discussion on gnutls
> and nettle already in July (which I missed in my
> back-from-holiday-email-binge). It seems that the consensus was to
> preserve LGPLv2 versions.
> 
> This is what the current situation looks to me -- please correct if I'm wrong:
> * gmp is "GPLv2+ | LGPLv3+"
> * nettle is "LGPLv2.1+" but depends on gmp
> * gnutls "LGPLv2.1+" but depends on nettle
> 
> This effectively makes gnutls "GPLv2+ | LGPLv3+" as far as I can see.
> If we want to preserve a LGPLv2 gnutls, we need to bring back an older
> version of gmp (I think 4.2.1).

I agree, recently we had to downgrade gmp to 4.2.1 in our layer to pass
our license check. Similarly we had to check that all nettle libraries
used in our image are LGPLv2.1 not GPLv2.0 - that's why I've suggested
to package them separately, so that we'll see only LGPLv2.1 nettle
package in our image.

Regards,

> >> +LICENSE_${PN}-cast = "CC0"
> >> +LICENSE_${PN}-gosthash = "MIT"
> >> +
> >> +# both public and GPL license listed
> >> +LICENSE_${PN}-md2 = "CC0 & LGPLv2.1+"
> >> +LICENSE_${PN}-md4 = "CC0 & LGPLv2.1+"
> >
> > From the reference I had the impression this "LICENSE_something"
> > construct would imply there is a package "something". But the nettle
> > recipe does not produce "nettle-cast" or any of these. What is the
> > purpose here?
> >
> > Thanks,
> >  Jussi
> >
> >> +
> >> +
> >>  LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=2d5025d4aa3495befef8f17206a5b0a1 \
> >>                      file://serpent-decrypt.c;beginline=53;endline=67;md5=bcfd4745d53ca57f82907089898e390d \
> >>                      file://serpent-set-key.c;beginline=56;endline=70;md5=bcfd4745d53ca57f82907089898e390d"
> >> --
> >> 2.3.5
> >>
> >> --
> >> _______________________________________________
> >> Openembedded-core mailing list
> >> Openembedded-core@lists.openembedded.org
> >> http://lists.openembedded.org/mailman/listinfo/openembedded-core
> -- 
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 188 bytes --]

Re: gnutls/nettle/gmp licensing and versions

[Jussi Kukkonen]

On 18 August 2015 at 11:35, Martin Jansa <martin.jansa@gmail.com> wrote:
> On Thu, Aug 13, 2015 at 03:42:45PM +0300, Jussi Kukkonen wrote:
>> On 12 August 2015 at 17:14, Jussi Kukkonen <jussi.kukkonen@intel.com> wrote:
>> > Hi,
>> >
>> > I realise I'm a bit late (with the commit in master already) but I'm
>> > looking at upgrading this recipe and had some questions on this patch
>> > and the recipe in general.
>> >
>> > On 9 August 2015 at 08:28, Armin Kuster <akuster808@gmail.com> wrote:
>> >> adding the license definitions on the few packages that
>> >> deviate from the overall package license.
>> >>
>> >> based on http://www.lysator.liu.se/~nisse/nettle/nettle.html#Copyright
>> >> and spot checking files.
>> >>
>> >> Signed-off-by: Armin Kuster <akuster808@gmail.com>
>> >> ---
>> >>  meta/recipes-support/nettle/nettle_2.7.1.bb | 9 +++++++++
>> >>  1 file changed, 9 insertions(+)
>> >>
>> >> diff --git a/meta/recipes-support/nettle/nettle_2.7.1.bb b/meta/recipes-support/nettle/nettle_2.7.1.bb
>> >> index f53afcc..f9d331f 100644
>> >> --- a/meta/recipes-support/nettle/nettle_2.7.1.bb
>> >> +++ b/meta/recipes-support/nettle/nettle_2.7.1.bb
>> >> @@ -2,6 +2,15 @@ SUMMARY = "A low level cryptographic library"
>> >>  HOMEPAGE = "http://www.lysator.liu.se/~nisse/nettle/"
>> >>  SECTION = "libs"
>> >>  LICENSE = "LGPLv2.1 & GPLv2"
>> >
>> > I think this is wrong, whichever version you look at -- our current
>> > version is just "LGPLv2.1+", the current upstream release is "LGPLv3+
>> > | GPLv2+"
>> >
>> > I'm going to send a patch upgrading the recipe to the current upstream
>> > release (and setting license to "LGPLv3+ | GPLv2+"): it might seem
>> > like this makes gnutls effectively LGPLv3 but that actually happened
>> > last year with the gmp upgrade. Comments on this welcome.
>>
>> Alexander just pointed out to me that there was a discussion on gnutls
>> and nettle already in July (which I missed in my
>> back-from-holiday-email-binge). It seems that the consensus was to
>> preserve LGPLv2 versions.
>>
>> This is what the current situation looks to me -- please correct if I'm wrong:
>> * gmp is "GPLv2+ | LGPLv3+"
>> * nettle is "LGPLv2.1+" but depends on gmp
>> * gnutls "LGPLv2.1+" but depends on nettle
>>
>> This effectively makes gnutls "GPLv2+ | LGPLv3+" as far as I can see.
>> If we want to preserve a LGPLv2 gnutls, we need to bring back an older
>> version of gmp (I think 4.2.1).
>
> I agree, recently we had to downgrade gmp to 4.2.1 in our layer to pass
> our license check. Similarly we had to check that all nettle libraries
> used in our image are LGPLv2.1 not GPLv2.0 - that's why I've suggested
> to package them separately, so that we'll see only LGPLv2.1 nettle
> package in our image.

Reading the commit log, it looks like gmp 4.2.1 was removed by
accident (the license problem was not understood at the time).
I've filed https://bugzilla.yoctoproject.org/show_bug.cgi?id=8197 for
this issue: we can continue there.

Bringing back 4.2.1 seems like the least worst option: if you have a
useful patch (other than just a revert of the removal), please let me
know.

Cheers,
 Jussi

>
> Regards,
>
>> >> +LICENSE_${PN}-cast = "CC0"
>> >> +LICENSE_${PN}-gosthash = "MIT"
>> >> +
>> >> +# both public and GPL license listed
>> >> +LICENSE_${PN}-md2 = "CC0 & LGPLv2.1+"
>> >> +LICENSE_${PN}-md4 = "CC0 & LGPLv2.1+"
>> >
>> > From the reference I had the impression this "LICENSE_something"
>> > construct would imply there is a package "something". But the nettle
>> > recipe does not produce "nettle-cast" or any of these. What is the
>> > purpose here?
>> >
>> > Thanks,
>> >  Jussi
>> >
>> >> +
>> >> +
>> >>  LIC_FILES_CHKSUM = "file://COPYING.LIB;md5=2d5025d4aa3495befef8f17206a5b0a1 \
>> >>                      file://serpent-decrypt.c;beginline=53;endline=67;md5=bcfd4745d53ca57f82907089898e390d \
>> >>                      file://serpent-set-key.c;beginline=56;endline=70;md5=bcfd4745d53ca57f82907089898e390d"
>> >> --
>> >> 2.3.5
>> >>
>> >> --
>> >> _______________________________________________
>> >> Openembedded-core mailing list
>> >> Openembedded-core@lists.openembedded.org
>> >> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>> --
>> _______________________________________________
>> Openembedded-core mailing list
>> Openembedded-core@lists.openembedded.org
>> http://lists.openembedded.org/mailman/listinfo/openembedded-core
>
> --
> Martin 'JaMa' Jansa     jabber: Martin.Jansa@gmail.com