[Devel] Use of LGPL-3 or GPL-2 dual-licensed Nettle on Apertis v2020 and v2021 images

[Emanuele Aina]

Hello all,

the latest source code scan highlighted that the version of Nettle used
on Apertis target images for the v2020 and v2021 releases is already
subject to the relicensing to LGPL-3 or GPL-2 and it is no longer LGPL-
2.1 licensed as the metadata from the original Debian package sources
indicated.

This means that any program using libnettle, and by extension libraries
like libgnutls, glib-networking and libsoup, has to be licensed under
the terms of the GPL-2 or the terms of the LGPL-3 license should be
applied to libnettle.

This goes against the Apertis licensing expectations[1] therefore we
are now working on a fix.

The v2022 release channel is not affected thanks to the rework of the
TLS stack usage[2] done in that channel. The recent documentation work
helped raising the awareness of the issue, identifying its impact and
the possible ways to address it.

We currently plan to backport the changes from v2022 to v2021, and even
v2020. Usage of libnettle and its reverse dependencies like libgnutls
will still be subject to the LGPL-3 or GPL-2 dual-license, but
libraries like glib-networking and libsoup will be moved to the OpenSSL
backend to avoid the issue. Check the document about the TLS stack
licensing[2] for further details.

In case of any doubt, we are available for any inquiry and
clarification about the impact of the issue.

Thank you!

[1] https://www.apertis.org/policies/license-expectations/
[2] https://www.apertis.org/concepts/tls-stack/

-- 
Emanuele Aina
www.collabora.com