LDAP keyserver patch

David Shaw dshaw at jabberwocky.com
Wed Sep 12 23:12:02 CEST 2001

On Wed, Sep 12, 2001 at 12:42:02AM -0500, gnupg-devel at thewrittenword.com wrote:
> On Mon, Sep 10, 2001 at 07:58:18AM +0200, Florian Weimer wrote:
> > David Shaw <dshaw at jabberwocky.com> writes:
> > 
> > > Included in the patch is a helper application for LDAP and another one
> > > for email keyservers.  You need OpenLDAP installed to enable LDAP
> > > support.
> > 
> > Note that the OpenLDAP license is in a constant flux.  The most recent
> > version (2.7) seems to be GPL-compatible (so that you can distribute
> > binaries), but some of the previous ones were definitely not.
> > 
> > I don't know if the current GPL compatibility is a mere accident, or
> > if it is by design.
> It is by design. We were going to bring up the issue and emailed
> licensing at gnu.org but were told not to as RMS was going to handle
> this. I emailed licensing at gnu.org to confirm the 2.7 license as being
> GPL compatible and received a response that RMS has agreed that it is.
> You will need to find a version of OpenLDAP with this license to be
> able to use it though (I have not looked at the license on the latest
> 1.2 and 2.0 versions). Note though that I think this applies mainly to
> commercial unixen that do not have OpenLDAP as part of the base OS
> (same exception clause that allows GPL software on Solaris to link
> against Solaris libc).
> Note that OpenLDAP 2.0.x can use SASL which uses OpenSSL. The OpenSSL
> license is *incompatible* with the GPL. So, I believe (IANAL)
> that OpenLDAP + Cyrus SASL would be imcompatible with the GPL (hence
> incompatible with GnuPG). Ugh! To overcome this, some GPL programs
> like fetchmail add the following to the GPL license:
>   Specific permission is granted for this code to be linked to OpenSSL
>   (this is necessary becuse the OpenSSL license is not GPL-compatible).

Interesting.  I did have a similar note in the gpgkeys_ldap code to
allow it to be linked with OpenLDAP, but if the OpenLDAP licence is
now GPL-compatible, then that is great.

I don't use OpenSSL in the patch, and given the design of the
keyservers it isn't likely to be needed - there is a notion of
authenticated communication with the keyservers, but that can be done
with a signed (via GnuPG itself) LDAP request.


   David Shaw  |  dshaw at jabberwocky.com  |  WWW http://www.jabberwocky.com/
   "There are two major products that come out of Berkeley: LSD and UNIX.
      We don't believe this to be a coincidence." - Jeremy S. Anderson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 536 bytes
Desc: not available
Url : /pipermail/attachments/20010912/88b80949/attachment.bin

More information about the Gnupg-devel mailing list