Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1019408

Summary: gnutls is now effectively LPGLv3+
Product: Red Hat Enterprise Linux 7 Reporter: Daniel Berrangé <berrange>
Component: gnutlsAssignee: Nikos Mavrogiannopoulos <nmavrogi>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: danw, hkario, jorton, ksrot, nmavrogi, pvrabec, tmraz
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 986347 Environment:
Last Closed: 2014-11-06 09:24:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1110689    
Bug Blocks:    

Description Daniel Berrangé 2013-10-15 16:15:20 UTC 
+++ This bug was initially created as a clone of Bug #986347 +++

gnutls 3.x depends on nettle, which depends on gmp, which is LGPLv3+. :-/

Per the matrix-of-doom, this means gnutls can no longer be used by GPLv2-only code...

repoquery turns up: climm, connman, cups, ekg2-jabber, gloox, jd, openvasscanner, suricata, xfce4-mailwatch-plugin

(Inspired by https://bugzilla.gnome.org/show_bug.cgi?id=704503, which doesn't show up in the above list because nothing actually links directly to glib-networking. I don't know exactly what that means licensingwise.)

Not sure what we need to do here...

--- Additional comment from Tomas Mraz on 2013-07-19 14:53:41 BST ---

I certainly cannot do anything with it in gnutls. Although it was my mistake to not consider this.

--- Additional comment from Tomas Mraz on 2013-07-19 14:59:13 BST ---

Reverting to 2.12 is basically impossible.

--- Additional comment from Dan Winship on 2013-07-19 15:59:03 BST ---

Yeah, I'm not sure what should be done, or by who, but clearly someone needs to do something... at the moment we are shipping some packages in f19 in violation of their licenses.

--- Additional comment from Tomas Mraz on 2013-07-19 16:14:20 BST ---

Also note that we've been shipping traditionally GPLv2 applications linked against openssl which was also licensing violation but we declared openssl being part of the OS platform.
I think there still are some applications that do not have the exception to link to OpenSSL although they're GPLv2(+), I did not verify this though and I am also unsure whether this applies to the current situation with gnutls.

--- Additional comment from Tomas Mraz on 2013-07-19 16:16:16 BST ---

I can't see much else that can be done than creating bug reports against the packages mentioned above and fix them to either link to something else if possible or in the corner case just drop it from the Fedora?

--- Additional comment from Tomas Mraz on 2013-07-19 16:34:30 BST ---

For example cups can be linked against openssl and now has even the license exception for that.

--- Additional comment from Tomas Mraz on 2013-07-19 16:38:02 BST ---

Comment from gnutls-devel mailing list.

This seems to be adressed on the GnuTLS download page:

1. Gmplib is under LGPLv3. Older versions of gmplib under LGPLv2 are also supported.

So I guess the easiest way would be to fork the LGPLv2 version of gmplib for gnutls use and GPLv2 programs should be in the clear.


Juho
Comment 7 Nikos Mavrogiannopoulos 2014-01-28 15:15:58 UTC 
It seems GMP is being re-licensed to GPLv2+LGPLv3 so it can be compatible with GPLv2-only software. While the released version with RHEL will not have this license, I think that the issue can be resolved by updating to the new gmplib once that is available (may take few weeks).

https://gmplib.org/repo/gmp/rev/02634effbd4e
Comment 11 Tomas Mraz 2014-11-06 09:24:32 UTC 
I think it can be closed as duplicate of that bug.

*** This bug has been marked as a duplicate of bug 1110689 ***