[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cupsys + libssl + libgnutls = confusion.

On Sun, 2002-11-03 at 01:02, Andrew Lau wrote:
> 	I just looked at that
> cupsys-1.1.15/config-scripts/cups-openssl.m4 and I find no mention of
> GnuTLS in there at all. Then I took at look at debian/rules and
> noticed that cupsys isn't even built with SSL or TLS enabled.
>         ./configure --with-optim=$(DEB_OPTFLAGS)	\	
> 	--with-cups-group=lpadmin --mandir=/usr/share/man	\
> 	--with-docdir=/usr/share/cups/doc-root --disable-ssl --enable-slp

SSL support was added in the 1.1.15 series, removed almost immediately
after, and re-added in 1.1.16-1 using the GNU TLS compatibility
library.  As of this moment, the SSL-using CUPS has not reached testing.

> So this leaves me with a few problems.
> 1. I still don't know what steps are neccessary to convert an OpenSSL 
>    program into one that uses GnuTLS for encryption.

You can look at the cupsys packages in unstable, though I should point
out that the support is still very flaky.

It's actually not that difficult.  You need to detect which SSL lib
you're using, and include different headers based on that.  Also, when
you initialize a SSL connection, OpenSSL allows you to specify that a
connection may be used for either client or server purposes, but GNU TLS
forces you to choose.  That's all I've experienced so far with it.

> 2. Until #16748 - cupsys needs a "Build-Conflicts: libssl-dev" is
>    resolved, any cupsys-pt client will have no encrypted CUPS server
>    in Debian to talk to.

That technically doesn't affect the presence or absence of SSL
cupsd/libcups; it's more of a safety harness for preventing inadvertent
license violations.  I have actually fixed the bug in a slightly
different way than the bug title implies.  Essentially, the configure
script can now be told to ignore installed OpenSSL libs, and
debian/rules passes that flag unless told explicitly not to.

> 	From my understanding of the above two clauses, cupsys can be
> built with OpenSSL support enabled. So why is it explicitly disabled
> at the moment? Why do you call for GnuTLS support for cupsys in
> #167489?  What is the official debian-legal position on this because
> I'm really, really confused now...

Debian-legal helped hash out the CUPS license text, so the official
answer from the d-l POV is that it's legal to link OpenSSL to CUPS. 
However, this does not say anything about third-party GPLed software. 
As I understand it, Debian considers the OpenSSL and GPL licenses
incompatible, despite the rather optimistic statement from the OpenSSL
people.  Specifically, check out the clause in the OpenSSL license that
specifically mentions the GPL, as well as the old-BSD-style advertising

As an interesting side note, although the cupsys packages can be built
against OpenSSL, they are pretty much useless without the gs-esp
package, which provides the PostScript RIP used for non-PostScript
printers.  The gs-esp package is ESP's small fork of GNU GhostScript,
which is under the traditional GPL and must link against CUPS to be
useful.  It's therefore my opinion that any distribution shipping a
useful CUPS linked against OpenSSL is in a potentially interesting legal
state.  ESP has attempted to adjust to this situation, but I haven't
been keeping up in their efforts to know if they've succeeded or not, so
distributions shipping CUPS 1.1.15 or later and ESP GhostScript 7.05.5
or later might be OK.

I'd rather not get into yet another OpenSSL license discussion, so I'll
advise you to search the debian-legal archives for the last few months
for more information.

Reply to: