Bug#879984: libgcrypt20: copyright does not mention OCB patent license

brian m. carlson sandals at crustytoothpaste.net
Sat Oct 28 00:08:59 UTC 2017 

Package: libgcrypt20
Version: 1.7.9-1
Severity: serious

libgcrypt implements OCB, which is patented[0].  The author, Phil
Rogaway, provides three licenses.

* The first license applies to wholly open-source implementations that
  do not contain any closed-source components.
* The second license applies to non-military software implementations.
* The third license applies only to OpenSSL.

Only the first license applies here, since libgcrypt is not derived from
OpenSSL and the second license violates the DFSG.

Because libgcrypt is LGPL and may legally be linked to proprietary code,
it must contain a copy of the first patent license, as the patent
license imposes further restrictions on the way it can legally be used
and distributed.  As a consequence, these terms must be listed in the
copyright file.

Because Debian must avail itself of the first patent license, it is
therefore obligatory that libgcrypt20 not link against any proprietary
code directly or indirectly, and this should be prominently disclosed as
it restricts the text of the LGPL.

If it is not possible for practical purposes that libgcrypt not link to
proprietary software (say, because libgcrypt20 is linked into Xorg and
people might want to use a proprietary graphics driver), then OCB
support will need to be removed.

[0] http://web.cs.ucdavis.edu/~rogaway/ocb/license.htm

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libgcrypt20 depends on:
ii  libc6          2.24-17
ii  libgpg-error0  1.27-3

libgcrypt20 recommends no packages.

Versions of packages libgcrypt20 suggests:
pn  rng-tools  <none>

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
https://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: https://keybase.io/bk2204
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 867 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20171028/71d4f1c2/attachment.sig>

More information about the Pkg-gnutls-maint mailing list