The Blowfish code in Nettle has already been re-implemented under LGPLv2+ but not released yet. I am working on re-implementing Serpent under LGPLv2+, however there are multiple and incompatible test vectors of Serpent and it is not clear which corresponds to the "real" Serpent.
Meanwhile, perhaps the Nettle package in Debian could disable Serpent and Blowfish, or since the Blowfish re-write mostly re-established LGPLv2+ as the license of the old code, at least disable Serpent? I don't believe Serpent not Blowfish are widely used anyway. Given the unclear Serpent test vectors it might be good to disable Serpent anyway until the problem has been sorted out, to avoid causing problems for someone. Right now, Nettle and Libgcrypt's Serpent implementations generate different outputs. Libgcrypt is more widely used, so I have more confidence that it is right than Nettle, but Serpent as an algorithm is not widely used so I don't have strong confidence in either implementation. /Simon -- To UNSUBSCRIBE, email to debian-legal-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87k4gvgjx4....@latte.josefsson.org
