[Gpg4win-users-en] Switch from GPLv2 to GPLv3?

Thu Oct 15 21:22:36 CEST 2015

Andre,

> you want to use gpgv.exe from the "Simple installer for GnuPG classic"

Thank you! At first 1.4.x/classic made me nervous because I thought it was
old & unmaintained, but then I read this post
<http://security.stackexchange.com/a/78840/72611> which assured me that
this wasn't the case. The small, self-contained executable is ideal for our
use-case.

I tried "gpgv.exe" (isn't in "classic", just "modern"), but it looks like
it can only verify files, it can't decrypt them. And it's actually a larger
filesize (when combined with dependencies like libgcrypt) than the
standalone classic exe, so I think I'm going to go with the classic gpg.exe.

> if you distribute a binary you are responsible to also provide the code
> (at least when asked)

I did some more reading & found this on the GPL FAQ (
#SourceAndBinaryOnDifferentSites
<http://www.gnu.org/licenses/gpl-faq.en.html#SourceAndBinaryOnDifferentSites>
):

Can I put the binaries on my Internet server and put the source on a
> different Internet site?

Yes. Section 6(d) allows this. However, you must provide clear instructions
> people can follow to obtain the source, and you must take care to make sure
> that the source remains available for as long as you distribute the object
> code.

There's some further explanation in this section of the Software Freedom
GPL Compliance Guide
<http://www.softwarefreedom.org/resources/2008/compliance-guide.html#x1-130004.1.4>
and I found that section 6
<http://www.gnu.org/licenses/gpl-3.0.en.html#section6>(d) of the GPL itself
surprisingly readable and helpful regarding putting the source on 3rd party
servers (like github):

... If the place to copy the object code is a network server, the
> Corresponding Source may be on a different server (operated by you or a
> third party) that supports equivalent copying facilities, provided you
> maintain clear directions next to the object code saying where to find the
> Corresponding Source. Regardless of what server hosts the Corresponding
> Source, you remain obligated to ensure that it is available for as long as
> needed to satisfy these requirements.

My takeaway (but I also Am Not A Lawyer) is that I can redistribute gpg.exe
inside a commercial application, so long as I provide clear directions next
to the exe for where to find the source code (
https://github.com/CSNW/gnupg/tree/gnupg-1.4.19) and that I ensure that the
source is available for 3 full years after our last distribution.

The 3 years part is a bit annoying, but I think I prefer it over including
a 3mb source tarball. I'll double-check with the owner of the company and
the guy who deals with legal compliance to see if they agree.

Again, thank you for your help & advice on this, especially since it turned
out that I didn't even need gpg4win.

-- peter

On Thu, Oct 15, 2015 at 8:08 AM, Andre Heinecke <aheinecke at intevation.de>
wrote:

> Hi,
>
> On Thursday 15 October 2015 07:43:49 Peter Rust wrote:
> > So the only piece of gpgp4win that I'm redistributing / including in our
> > application's client is the "gpg" executable and a few DLLs that it
> depends
> > on. I got these from the gpg4win project because it was the only place I
> > could find precompiled binaries, but I suppose the source code for these
> > binaries is all from the gpg project itself.
>
> Uh in that case providing completely unrelated sources from Gpg4win (e.g.
> for
> Kleopatra and Qt) would really not be the right thing.
>
> Take a look at:
> https://gnupg.org/download/index.html
>
> At the bottom of this page is "GnuPG binary releases" your use case sounds
> like you want to use gpgv.exe from the "Simple installer for GnuPG
> classic".
>
> This is a dedicated tool to verify OpenPGP signatures.
>
> > > My suggestion would be that you make the source installer and the
> source
> >
> > package available
> >
> > I assume you mean putting source installer on our website & allowing
> users
> > to download it from us -- that would work and we'll do it if necessary,
> but
> > it's a bit more work and IMO less useful to any interested parties than a
> > link to the official gpg/gpg4win source installer, which (from what I've
> > read) the GPLv3 allows but the GPLv2 doesn't.
> >
> > But since the binary/DLLs I'm distributing is from the GnuPG GPLv3
> sources,
> > I think I'm fine...
>
> The point is afaik that if you distribute a binary you are responsible to
> also
> provide the code (at least when asked). But I am not a Lawyer ;-)
>
> Regards,
> Andre
>
> --
> Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
> Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B
> 18998
> Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.wald.intevation.org/pipermail/gpg4win-users-en/attachments/20151015/3a81c47a/attachment.html>