On Wed, Aug 29, 2018 at 10:53:01AM +0200, Ævar Arnfjörð Bjarmason wrote: > > On Wed, Aug 29 2018, brian m. carlson wrote: > > > Generally, one gets better performance out of cryptographic routines > > written in assembly than C, and this is also true for SHA-256 > > It makes sense to have a libgcrypt implementation... > > > In addition, most Linux distributions cannot distribute Git linked > > against OpenSSL for licensing reasons. > > ...but I'm curious to know what licensing reasons these are, e.g. Debian > who's usually the most strict about these things distributes git linked > to OpenSSL: On my Debian system, that's linked to libgnutls. The reason is section 3 of the GPLv2 (emphasis mine): 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form **under the terms of Sections 1 and 2 above** provided that you also do one of the following: [provide source somehow] The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. **However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.** Basically, you can only distribute binary versions of Git under the terms of the GPLv2, and you have to distribute source for the entire thing under those terms. OpenSSL is licensed incompatibly with the GPLv2, so you can't legally comply with that part, but if you use the system OpenSSL and don't distribute that OpenSSL with Git, you're exempt. This is called the system library exception. Debian (and Red Hat, and every other Linux distro) ships Git and OpenSSL side by side on the same mirrors, and hence "that component [OpenSSL] accompanies the executable." Consequently, they can't take advantage of the exception, and must link it to a GPLv2 compatible library. Debian uses GnuTLS for libcurl, and Red Hat uses NSS. A more comprehensive explanation of the whole thing is here: https://people.gnome.org/~markmc/openssl-and-the-gpl.html -- brian m. carlson: Houston, Texas, US OpenPGP: https://keybase.io/bk2204
Attachment:
signature.asc
Description: PGP signature