LGPL library using only LGPL-parts of partially GPL shared library (gnutls, nettle)

Simon Josefsson simon at josefsson.org
Sun Feb 20 15:33:50 CET 2011

Andreas Metzler <ametzler at downhill.at.eu.org> writes:

> On 2011-02-20 Simon Josefsson <simon at josefsson.org> wrote:
>> The Blowfish code in Nettle has already been re-implemented under
>> LGPLv2+ but not released yet.  I am working on re-implementing Serpent
>> under LGPLv2+, however there are multiple and incompatible test vectors
>> of Serpent and it is not clear which corresponds to the "real" Serpent.
>> Meanwhile, perhaps the Nettle package in Debian could disable Serpent
>> and Blowfish, or since the Blowfish re-write mostly re-established
>> LGPLv2+ as the license of the old code, at least disable Serpent?
> [...]
> Hello,
> That would break the ABI and require a soname change, afaiui.

Fixing Serpent would probably require the same, since the current
implementation isn't compatible with (for example) Libgcrypt.

> I have the feeling that the discussion I started is an academic one
> anyway. Nettle's public key library (libhogweed) uses and links against
> libgmp, which is LGPLv3+. Therefore switching gnutls from gcrypt to
> nettle would break GPLv2-compatibility (GPLv2 without the "or any
> later version " clause). Oh dear.

It has been discussed to dual-license some libraries under
GPLv2+/LGPLv3+ to avoid this problem.  I wonder if this could be a way
out here.  GnuTLS 2.12 is not released (and there is not even any
release candidates), so we still have time to resolve this in a good

(I've changed gnutls-dev at gnupg.org into gnutls-devel at gnu.org which is
the current list address.)


More information about the Gnutls-devel mailing list