Re: GnuTLS in Debian
On Sun, Dec 22, 2013 at 08:12:40PM +0100, Andreas Metzler wrote:
> Debian ist still relying heavily on GnuTLS 2.12.x, and I do not think
> this is sustainable for much longer.
> State of Play:
> In July 2011 with version 3.0  GnuTLS switched to Nettle as only
> supported crypto backend. Nettle requires GMP.
> GnuTLS and Nettle are available under LGPLv2.1+. GMP used to be
> licensed LGPLv2.1+ ages ago but upgraded to LGPLv3+ in version 4.2.2
> (released September 2007).
So reading the copyright file I first see:
License: The main library and gnutls-xssl are licensed under GNU Lesser
General Public License (LGPL) version 2.1+, Gnutls Extra (which is currently
just the openssl wrapper library), build system, testsuite and commandline
utilities are licenced under the GNU General Public License version 3+. The
Guile bindings use the same license as the respective underlying library,
i.e. LGPLv2.1+ for the main library and GPLv3+ for Gnutls extra.
However to be able to use and link against libgnutls a program needs to be
available under a license compatible with LGPLv3+ since GnuTLS
requires nettle which requires GMP. GMP was re-licensed to LGPLv3+ a couple
of years ago.
Excerpt from upstream's README:
Since GnuTLS version 3.0.0, the core library has been released under
the GNU Lesser General Public License (LGPL) version 3 or later.
The GNU LGPL applies to the main GnuTLS library, while the
included applications as well as gnutls-extra and gnutls-openssl
libraries are under the GNU GPL version 3. The gnutls library is
located in the lib/ directory, while the applications in src/ and
gnutls-extra and gnutls-openssl library are at libextra/.
It seems to me that the copyright file contradicts itself,
and that not only GMP is under LGPLv3+