[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GnuTLS in Debian

On Sun, Dec 22, 2013 at 08:12:40PM +0100, Andreas Metzler wrote:
> Hello,
> Debian ist still relying heavily on GnuTLS 2.12.x, and I do not think
> this is sustainable for much longer.
> State of Play:
> ---------
> In July 2011 with version 3.0 [1] GnuTLS switched to Nettle as only
> supported crypto backend. Nettle requires GMP.
> GnuTLS and Nettle are available under LGPLv2.1+.  GMP used to be
> licensed LGPLv2.1+ ages ago but upgraded to LGPLv3+ in version 4.2.2
> (released September 2007).

So reading the copyright file I first see:
License: The main library and gnutls-xssl are licensed under GNU Lesser
General Public License (LGPL) version 2.1+, Gnutls Extra (which is currently
just the openssl wrapper library), build system, testsuite and commandline
utilities are licenced under the GNU General Public License version 3+.  The
Guile bindings use the same license as the respective underlying library,
i.e. LGPLv2.1+ for the main library and GPLv3+ for Gnutls extra.

However to be able to use and link against libgnutls a program needs to be
available under a license compatible with LGPLv3+ since GnuTLS
requires nettle which requires GMP. GMP was re-licensed to LGPLv3+ a couple
of years ago.

But later:
Excerpt from upstream's README:
Since GnuTLS version 3.0.0, the core library has been released under
the GNU Lesser General Public License (LGPL) version 3 or later.

The GNU LGPL applies to the main GnuTLS library, while the
included applications as well as gnutls-extra and gnutls-openssl
libraries are under the GNU GPL version 3.  The gnutls library is
located in the lib/ directory, while the applications in src/ and
gnutls-extra and gnutls-openssl library are at libextra/.

It seems to me that the copyright file contradicts itself,
and that not only GMP is under LGPLv3+


Reply to: