Add GnuPG to Omnibus for improved GPG key support
Related to https://gitlab.com/gitlab-org/gitlab-ce/issues/36845
We need to package GnuPG and possibly GPGME as part of omnibus to support Ed25519 keys.
cc @marin @DouweM this came from https://gitlab.com/gitlab-org/gitlab-ce/issues/36845#note_39249673
Update after research:
As an overview, this is the relationship between packages. I will try to figure out more about how they actually interact, but from a glance they are basically build dependencies with acceptable licenses. Black lines show build-depends relation (gnupg is not a build dependency of gpgme, but rather a runtime one)
Licenses
-
libgpg-error: GPL 2 and LGPL 2.1+ . Debian lists LGPL 2.1 as the license. From the README
Libgpg-error is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. See the file COPYING.LIB for copyright and warranty information. See the file AUTHORS for a list of authors and important mail addresses. However, some files (for example src/mkerrnos.awk) used in the build process of the library and the manual are covered by a different license. Please see the header of these files and the file COPYING for copyright and warranty information on these files. A special exception in the copyright license of these files makes sure that the output in the build process, which is used in libgpg-error, is not affected by the GPL.
TLDR; output is not affected by the GPL
-
libassuan: LGPL 2.1+ and GPL 3+. From the README: See COPYING.LIB on how to share, modify and distribute the software itself (LGPLv2.1+)
-
libksba: LGPL3+ or GPL2+. From AUTHORS
| KSBA is free software; you can redistribute it and/or modify | it under the terms of either | | - the GNU Lesser General Public License as published by the Free | Software Foundation; either version 3 of the License, or (at | your option) any later version. | | or | | - the GNU General Public License as published by the Free | Software Foundation; either version 2 of the License, or (at | your option) any later version. | | or both in parallel, as here.
TLDR: we can distribute it under LGPL3+
-
libgcrypt: LGPL 2.1+ and GPL 2+. From AUTHORS: License (library): LGPLv2.1+, License (manual and tools): GPLv2+
-
gnupg: Bunch of licenses - GPL 3, GPL 2, CC 0, LGPL 2.1, LGPL 3, Other. It is basically GPL3+, from doc/HACKING
** License policy GnuPG is licensed under the GPLv3+ with some files under a mixed LGPLv3+/GPLv2+ license. It is thus important, that all contributed code allows for an update of the license; for example we can't accept code under the GPLv2(only).
From my understanding, gpgme
uses the gpg
executable that is available from gnupg
for its operation. In other words, gpgme
is basically a wrapper library around the gpg
executable so that other software can easily access gpg functionality. Hence, I guess use of gpg
(thus, gnupg
) comes under mere aggregation.