some opencdk history

Nikos Mavrogiannopoulos nmav at
Wed Jul 9 18:48:58 CEST 2008

Daniel Kahn Gillmor wrote:
> On Sat 2008-07-05 01:21:56 -0700, Nikos Mavrogiannopoulos wrote:
>>  I've finally found some time to check your patch and I have some
>> remarks. The first is about patches in opencdk. The opencdk library
>> included in gnutls is a crippled version of the "full" opencdk
>> library by Timo Schulz. This crippling was done for mainly two
>> reasons. The full opencdk library contained GPL code that forced us
>> to include the openpgp support only in libextra, and the second is
>> that we only wanted to include the parts of opencdk we used.
> Cool, thanks for the explanation, Nikos.  Are you saying that the
> OpenPGP pieces of GnuTLS themselves are now *not* in libextra, then?
> That they currently fall under the LGPL instead?  I know that there
> has been a lot of changes recently, but i haven't followed them
> closely enough to know here.
> Was it necessary to remove the pieces that were removed *because* they
> were only under the GPL, not the LGPL?  

This wasn't the only reason. Of course the GPL parts had to be removed,
but there were also some other parts under LGPL that we didn't use at
that time in gnutls and/or required some rewritting, so they were also

> Was there a copyright assignment over the OpenCDK sources to the FSF?
> If so, is the FSF willing to consider re-licensing the code under LGPL
> so that we can include all the functionality instead of just part of
> it?

Yes the FSF has relicensed all the parts of opencdk that we needed for
proper openpgp certificate support in gnutls. Those are the parts that
are now included.

> Actually, the patch as it stands does add something to the
> capabilities of libgnutls: consider the case where you have a
> passphrase-encrypted OpenPGP secret key.  Without the patch, GnuTLS
> will actually choke on the key itself and be unable to even create a
> gnutls_openpgp_privkey_t from the data (encountering the S2K chunk in
> the protected key caused a CDK_Not_Implemented).
> With the patch, GnuTLS can create a gnutls_openpgp_privkey_t from such
> a key.  It won't be able to manipulate the key cleanly for any purpose
> that requires access to the secret MPIs themselves because they are
> locked, but GnuTLS will still be able to do all of the pubkey

Ah ok... But still in the master git branch some things are required to
be added for this patch to work (I remember something that had to do
with symmetric encryption was missing). Would you like to add this part
as well?

> I consider this to be a useful step (and a bugfix worth pushing into
> the 2.4.x lines in its own right).  I'm also working on trying to take
> the patches one level further, as you suggest, but i think that
> proposed change stands alone.

Ok. I'll include this patch in 2.4.x as well.


More information about the Gnutls-devel mailing list