|Summary:||>=net-libs/gnutls-2.2.0 links against license-incompatible >=dev-libs/lzo-2.02 when USE="lzo"|
|Product:||Gentoo Linux||Reporter:||Davide Pesavento <pesa>|
|Component:||New packages||Assignee:||Crypto team [DISABLED] <crypto+disabled>|
|Package list:||Runtime testing required:||---|
Description Davide Pesavento 2007-12-15 13:27:05 UTC
GnuTLS's libgnutls-extra is released under the GPLv3 license since version 2.2.0, and thus cannot link against GPLv2-only liblzo2. Flameeyes suggested to disable lzo when USE="bindist". The license problem affects only >=lzo-2.02, because previous versions are licensed under "GPLv2 or later".
Comment 1 Alon Bar-Lev (RETIRED) 2007-12-15 16:47:19 UTC
This is odd. The COPYING file of lzo package specify "and later" clause. The source banner does not... What is stronger?
Comment 2 Robin Johnson 2007-12-16 01:02:27 UTC
alonbl: COPYING and COPYING.LIB are meant to be the verbatim GPL and LPGL, while the source banner in files says while license the given file is actually covered by.
Comment 3 Alon Bar-Lev (RETIRED) 2007-12-16 06:35:09 UTC
I don't think people are expected to enter each individual file in order to figure out the license of a package, what if there are two files with conflict license linked in the same library? This sounds crazy! Package should contain exception clause or update the generic license. Anyway, we can use the internal lzo of gnutls... And end this one.
Comment 4 Davide Pesavento 2007-12-21 16:26:40 UTC
(In reply to comment #3) > Anyway, we can use the internal lzo of gnutls... And end this one. > What do you mean by "internal implementation"? Is it a different implementation of the lzo compression algorithm or is it simply an internal copy of liblzo?
Comment 5 Alon Bar-Lev (RETIRED) 2007-12-21 21:48:47 UTC
* Change from GPLv2 to GPLv3 for command-line tools, libgnutls-extra, etc. Notice that liblzo2 2.02 is licensed under GPLv2 only. Earlier versions, such as 2.01 which is included with GnuTLS, is available under GPLv2 or later. If this incompatibility causes problems, we recommend you to disable LZO using --without-lzo. LZO compression is not a standard TLS compression algorithm, so the impact should be minimal. Btw, I just talked with Markus and he were going to release a new version of liblzo under GPLv2+GPLv3 early next year. Still, I'm not sure if it makes sense for GnuTLS to enable LZO compression by default any more. It is not a standard TLS compression algorithm. What do people think? It would also be interesting to compare it with LZMA, which has gained some popularity lately: http://www.7-zip.org/sdk.html http://tukaani.org/lzma/ Btw, liblzo* has rather few reverse dependencies on Debian, so except for gnutls liblzo isn't that widely used. Dropping it might save space on most installation. I suggest that we disable LZO by default in the next releases unless someone protests. It would still be a supported feature though.
Comment 6 Alon Bar-Lev (RETIRED) 2007-12-21 21:49:42 UTC
Opps... Unclear.... comment#5 is from upstream.
Comment 7 Davide Pesavento 2007-12-22 17:37:23 UTC
(In reply to comment #5) > [...] Earlier > versions, such as 2.01 which is included with GnuTLS, is available under > GPLv2 or later. So, seems that it's an internal copy, which is not a good thing afaik... > > Btw, I just talked with Markus and he were going to release a new > version of liblzo under GPLv2+GPLv3 early next year. > Ok, a GPLv2+GPLv3 release would be the best solution. Meanwhile we can add a "bindist" USE flag that disables lzo compression even if the user has USE="lzo". What do you think? > > I suggest that we disable LZO by default in the next releases unless > someone protests. It would still be a supported feature though. > As far as I can see, lzo is already disabled by default on Gentoo.
Comment 8 Alon Bar-Lev (RETIRED) 2008-01-18 23:09:10 UTC
Fixed in 2.2.1, thanks!
Comment 9 Jakub Moc (RETIRED) 2008-01-20 13:48:53 UTC
Created attachment 141383 [details, diff] gnutls-2.2.1.ebuild.diff Can we please handle this a bit more gracefully instead of making the ebuild die?
Comment 10 Jakub Moc (RETIRED) 2008-01-20 13:49:10 UTC
Comment 11 Alon Bar-Lev (RETIRED) 2008-01-20 15:28:03 UTC
Well... OK, but you get a different system than what you intended to...