Clarifying the GnuPG License

Henry Hertz Hobbit hhhobbit at securemecca.net
Wed Jun 12 20:53:35 CEST 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/12/2013 09:49 AM, Nils Faerber wrote:
> Am 12.06.2013 07:24, schrieb Navin:
>> Hi,
> Hi!
> 
>> Since GnuPG comes under the GPL, I would like to clarify if a
>> person's proprietary software makes use of GnuPG purely by
>> invocation of the command line commands, and the GnuPG exe's and
>> DLL's are bundled unmodified with the person's proprietary
>> software, can the person use GnuPG commercially in this manner
>> without having to publish his/her source code?
> 
> IANAL but from my understanding: 1. by invocation of the
> commandline commands: Yes 2. invocation of GnuPG exe: Yes 3.
> Linking, dynamically or statically, against a GnuPG DLL, presumed 
> that it is licensed under GPL: No
> 
> The DLL usage would require the DLL to be licensed under LGPL,
> which is the very reason why LGPL was invented.
> 
> Im am not sure which parts of the GnuPG suit are licensed under
> which license though, e.g. if the GnuPG DLL (if such exists at all)
> is licensed GPL or LGPL.

I am in agreement on the constraints Nils Faerber gives.

You were not specific as to the OS but since most distros of
Linux have GhuPG bundled I am assuming a Windows OS target.

Merging any of the GnuPG / PGP4WIN files into your install folder
may get you into trouble.  It is because it makes it seem like
you own the binaries.  You don't so they should not be in your
app folder.

There are 76 DLL files in the main folder for 2.0.17 (GPG4WIN).
Licensing for things like GPGOL DLL is LGPL.  Most other DLLs do
not give me the licensing information (looking at actual strings
in the binary files). All the 46 EXE files I looked at were GPLv3
but I didn't look at all of them so some may be GPLv2.  Bascially,
consider the GPG4WIN bundle to be a GPLv3 product.

The last time I looked at it, I had to install GPG4Win or
one of the GPG 1.x installs before I put Enigmail in THunderbird
on Windows. EnigMail is licensed under MPLv2/GPLv2 to avoid
licensing issues.  If Enigmail doesn't bundle when they have
compatible licensing then neither should you bundle.

I would have people download and install GPG4WIN themselves.
Under no circumstances link in any of the DLL files to avoid
licensing issues.  gpg.exe and some other EXE files and
iconv.dll are in the %ProgramFiles%\GNU\GnuPG\pub folder which
is added to the %PATH% in the install for command line use.
Ergo, there is no need to bundle if you use gpg.exe on the
command line.

HHH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQEcBAEBCAAGBQJRuMOuAAoJEMhFIk/IOUbwbtEH/Rn/JAJHN0+FFE7JT/id2dYO
qoSSdQov8CX5exaNHXnBHr4SSzmalrcCkkbfSHbyl0bSoR85FRqX2N5AZOurZt7I
koi4cEVzoRatNxAsLn+drSjbVwg88P+BGDEVK/22BuO/wdLB8yPeXshPGbNOaJAh
3fJWpjI3IBBGIzg54Wm8CiQ3WsVBF2BbOxzJMaaChx29p3JrfFCoZP5FiVhNiPV0
ZiHFay3DUhHjfCfpSv6eRsqXV+TP+bAzKe0V2XkDh/OK39QK7d9ZnW3EnfuxsV7m
gnUCH1cxyISDE/DmdnVFFOxap3bOmcOfqkvh58qBGtIqzF5qqkknT5mS7FTN6lo=
=69/h
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list