Better proxy support available via libcurl?

David Shaw dshaw at jabberwocky.com
Thu Aug 3 17:55:02 CEST 2006 

On Thu, Aug 03, 2006 at 04:51:19PM +0200, Werner Koch wrote:
> On Thu,  3 Aug 2006 16:17, David Shaw said:
> 
> > That's not the case though - they were designed intentionally to be
> > able to run outside of GPG for general keyserver access.  That's one
> 
> They are part of GnuPG proper.  They are external helpers to isolate
> network access from the actual encryption process.  Russell Coker
> asked me right after he started to work on SELinux for such a feature.

I never spoke with Russell Coker, so all I can say is my intent when I
wrote the keyserver code was that they could be callable outside of
GPG.  I explicitly designed the API to be able to do this.  I was a
little surprised when people actually DID do this, as I didn't think
anyone would, but nevertheless, the intent was to make it possible.

> > Valid questions have been raised about distributing binaries.  I'm
> > certainly okay with doing nothing, so long as it isn't going to leave
> > us in a state where people can't or won't package and distribute
> > GnuPG for fear of violating the license.
> 
> It is not only about GnuPG is is about most non-trivial GPL packages.
> My point here is to not forget about these things and work on a
> solution.  Printing a warning is something which would help to raise
> awareness of this problem.

I think a warning would have to have so many qualifications it would
just confuse people: "Warning: this build of GnuPG has optional
portions which are linked to libcurl which in turn uses OpenSSL.  You
may or may not be able to distribute these portions in binary form
depending on whether the target platform considers OpenSSL part of the
OS or not, and whether OpenSSL can be considered part of the OS in the
first place".  Even that is hard for gpgkeys_ldap where you can't
easily tell if you're using OpenSSL or not, or even if the LDAP
library is GPL-compatible.

Like I said, I'm perfectly okay doing nothing, but now that the issue
has been raised, it is difficult to just drop, as we have a problem
today that needs an answer: it has been asserted that distributing
binaries of GnuPG that link to libcurl built on OpenSSL violates the
GPL.  That is to say, it is *against the law* to do so, and the
copyright holder of GnuPG (FSF) could, if they chose to, take the
infringer to court.

It is not right to make such a statement and then walk away.  All that
accomplishes is to create FUD, and if a packager decides to throw up
their hands and not package GnuPG rather then get involved in these
questions, then we have caused harm.

I think we need an official answer yes or no whether this is legal as
things are now.  It is difficult to design for the future if we do not
know where we stand today.

David

More information about the Gnupg-devel mailing list