Re: LGPL library using only LGPL-parts of partially GPL shared library (gnutls, nettle)
The Blowfish code in Nettle has already been re-implemented under
LGPLv2+ but not released yet. I am working on re-implementing Serpent
under LGPLv2+, however there are multiple and incompatible test vectors
of Serpent and it is not clear which corresponds to the "real" Serpent.
Meanwhile, perhaps the Nettle package in Debian could disable Serpent
and Blowfish, or since the Blowfish re-write mostly re-established
LGPLv2+ as the license of the old code, at least disable Serpent? I
don't believe Serpent not Blowfish are widely used anyway. Given the
unclear Serpent test vectors it might be good to disable Serpent anyway
until the problem has been sorted out, to avoid causing problems for
someone. Right now, Nettle and Libgcrypt's Serpent implementations
generate different outputs. Libgcrypt is more widely used, so I have
more confidence that it is right than Nettle, but Serpent as an
algorithm is not widely used so I don't have strong confidence in either
implementation.
/Simon
Reply to: