vanitygen icon indicating copy to clipboard operation
vanitygen copied to clipboard

Published 20 hours ago verified publisher icon samr7

debian package

Open ulrichard opened this issue 12 years ago • 8 comments

On August 20. I sent the following mail to Sam Revitch [email protected] and never got a response. I hope through this channel I will have more success.

Hi Sam,

I'm in the process of packaging your vanitygen for debian. https://mentors.debian.net/package/vanitygen

Now I ran into a copyright issue. http://lintian.debian.org/tags/possible-gpl-code-linked-with-openssl.html

I didn't know the AGPL before, so I did some research on the internet. I'm not entirely sure, but I think it has the same incompatibility with the openssl license as the GPL does. So, for me to be able to make a debian policy compliant package, you would need to add something along these lines to the copyright of vanitygen:

In addition, as a special exception, the copyright holders give permission to link the code of portions of this program with the OpenSSL library under certain conditions as described in each individual source file, and distribute linked combinations including the two. You must obey the Affero GNU General Public License in all respects for all of the code used other than OpenSSL. If you modify file(s) with this exception, you may extend this exception to your version of the file(s), but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version. If you delete this exception statement from all source files in the program, then also delete it here.

Rgds Richard

ulrichard avatar Oct 03 '13 19:10 ulrichard

If possible, link to gnutls instead and you should be good.

stephen-smith avatar Oct 20 '13 21:10 stephen-smith

This looke like a good idea. I didn't even know about GnuTLS before. So I started to port it. But then I found out that vanitygen uses elliptic curves, which it seems GnuTLS doesn't implement: https://en.wikipedia.org/wiki/Comparison_of_TLS_Implementations#Supported_elliptic_curves Correct me if I'm wrong.

I also checked back with debian if there was a way to integrate the package without that explicit license exception, assuming that since the upstream authors chose to use OpenSSL, the're ok with the license. But debian is really strict about that, There needs to be this clause in the license of all packages that link to OpenSSL.

ulrichard avatar Oct 31 '13 09:10 ulrichard

Debian has to follow the letter of the law or they expose themselves to too much liability. Don't expect an exception.

Maybe improve GnuTLS? ;)

stephen-smith avatar Oct 31 '13 13:10 stephen-smith

This is a big issue: I'd like to see Vanitygen in Debian.

About GnuTLS, I found some references to ECDSA here, but I can't understand if secp256k1 is included.

Stemby avatar Jun 27 '14 15:06 Stemby

Another possibility might be PolarSSL:

https://packages.debian.org/wheezy/libpolarssl-dev https://polarssl.org/core-features

(secp256k1 supported)

Ciao!

Stemby avatar Jul 17 '14 00:07 Stemby

I will have a closer look at PolarSSL. LibreSSL might also be an option, as they want to be API compatible. So this would be more of a drop in raplacement than PolarSSL. On the other hand, PolarSSL is already in the repository, while LibreSSL isn't yet.

ulrichard avatar Jul 26 '14 21:07 ulrichard

Also, LibreSSL seems to have the same license problem:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754513#68

Ciao!

Stemby avatar Jul 26 '14 23:07 Stemby

Looks like a lot of functionality has to be changed. I started at : https://github.com/ulrichard/vanitygen/tree/PolarSSL

ulrichard avatar Jul 29 '14 20:07 ulrichard