[Catalog-sig] [Draft] Package signing and verification process
Vinay Sajip
vinay_sajip at yahoo.co.uk
Fri Feb 8 00:13:03 CET 2013
Jesse Noller <jnoller <at> gmail.com> writes:
> It's less about keeping "me" happy: I'm fine with a model that if GPG exists,
> it's used, silently (not linked against in any way though in core Python -
> license incompatible).
Right, but it may be OK for pip (or other Python tool with a non-GPL-compatible
license) to bundle a version for use on Windows (just two files - gpg.exe and
iconv.dll). The GPL FAQ has a couple of entries which may be relevant
to whether unmodified GPL binaries can be bundled with software which is not
compatible with the GPL:
1. https://www.gnu.org/licenses/gpl-faq.html#GPLCompatInstaller
2. https://www.gnu.org/licenses/gpl-faq.html#MereAggregation
It would seem that all that needs to be done is to provide a link whereby the
source corresponding to the shipped binary is available to a user of the binary
(i.e. any user of pip or a similar tool). Certainly, the GPL FAQ seems to say
that connecting to gpg via fork/exec and communicating with it via pipes does
not constitute a combined or derivative work.
Might it be worth asking a PSF lawyer to see what they think? If the couple of
GnuPG files can be bundled, it removes a hurdle from the usability point of
view: users don't need to install anything besides pip.
Regards,
Vinay Sajip
More information about the Catalog-SIG
mailing list