From mboxrd@z Thu Jan 1 00:00:00 1970 From: Vagrant Cascadian Subject: bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others Date: Wed, 06 Mar 2019 20:17:10 -0800 Message-ID: <87ftrzuxmh.fsf@ponder> References: <87tvgkiurn.fsf@ponder> <87zhq8f2zz.fsf@gnu.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Return-path: Received: from eggs.gnu.org ([209.51.188.92]:34216) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1h1kTr-0002pQ-5c for bug-guix@gnu.org; Wed, 06 Mar 2019 23:18:04 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1h1kTq-0008Qo-7o for bug-guix@gnu.org; Wed, 06 Mar 2019 23:18:03 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:49542) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1h1kTq-0008Qi-4y for bug-guix@gnu.org; Wed, 06 Mar 2019 23:18:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1h1kTp-0007e1-Ry for bug-guix@gnu.org; Wed, 06 Mar 2019 23:18:01 -0500 Sender: "Debbugs-submit" Resent-Message-ID: In-Reply-To: <87zhq8f2zz.fsf@gnu.org> List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-guix-bounces+gcggb-bug-guix=m.gmane.org@gnu.org Sender: "bug-Guix" To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Cc: 34717@debbugs.gnu.org --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2019-03-06, Ludovic Court=C3=A8s wrote: > Vagrant Cascadian skribis: > >> The u-boot package definition includes openssl amoung it's inputs, but >> is also a GPL2+ software project... but the GPL and OpenSSL licenses are >> incompatible: >> >> https://www.gnu.org/licenses/license-list.html#OpenSSL > > Thanks for bringing it up. > >> I'm not sure if there's a simple way to search for other packages with >> license:gpl and openssl as an input in order to do a quick pass at >> auditing... some packages may use the openssl binary as part of the >> build process or tests, and not linking any GPLed code against it; in >> those cases there would be no license conflict. > > openssl@1.0 has 7,029 dependent packages, so it may be hard to sort it > out. I wonder what would be the best way to approach it. How many of them are also license:gpl* though? That would hopefully reduce the scope somewhat, or maybe even significantly... If "guix package --search=3D ..." could be extended to to also search other fields, e.g. license: and dependencies: ... it might not be so difficult a search. >> In the Debian u-boot packaging, some of the features using openssl are >> disabled, and some of the u-boot targets that require openssl are not >> part of the packages. I'd be happy to help with making such adjustments >> if this is deemed the better approach for u-boot specifically. > > That=E2=80=99d be great. We could definitely remove the OpenSSL dependen= cy when > it=E2=80=99s not needed. For what it's worth, I did do local builds of all the current u-boot-* targets in guix with openssl removed from inputs, and the only one that failed to build without openssl was u-boot-tools. > In cases where it is needed, it would be nice to see what it=E2=80=99s us= ed > for. Many projects use OpenSSL just for its cryptographic hash > functions, for example, and there=E2=80=99s plenty of options to choose f= rom if > that=E2=80=99s all that=E2=80=99s needed (Gcrypt, Nettle, etc.). I think it is using it for generating and verifying rsa signatures, and probably other similar basic things. So far I had only thought about gnutls, but if gcrypt or nettle are other options, then so much the better. I briefly looked at gnutls's openssl compatibility layers, but it didn't seem to implement sufficiently similar include files, which is largely all that it is doing. > I guess this should be discussed with upstream. I did bring it upstream a little over a year ago, and the response was pretty much to rewrite it with gnutls, and I pointed out the most likely files that needed updating: https://lists.denx.de/pipermail/u-boot/2017-November/312483.html https://lists.denx.de/pipermail/u-boot/2017-December/313616.html https://lists.denx.de/pipermail/u-boot/2017-December/313742.html I suspect it's pretty much a "patches accepted" sort of scenario. live well, vagrant --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRlgHNhO/zFx+LkXUXcUY/If5cWqgUCXICbRwAKCRDcUY/If5cW qslIAP9ScQrLSi6R54J1NV5/L6Uh/os0qMg+RiswaDGV+kWtvQEAlfpxaLRUbI7+ Bt+71U4GBtM71PoXnDh1xExzjF9A5Ag= =JlTa -----END PGP SIGNATURE----- --=-=-=--