[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: GnuTLS in Debian



On Sun, Dec 22, 2013 at 9:59 PM, Ben Hutchings <ben@decadent.org.uk> wrote:
> On Sun, 2013-12-22 at 19:52 +0000, brian m. carlson wrote:
>> On Sun, Dec 22, 2013 at 08:12:40PM +0100, Andreas Metzler wrote:
>> > How to continue from here/solve this:
>> > ---------
>> > #1 Fork LGPLv2.1+ GMP (version 4.2.1) for Debian.
>>
>> This seems like the best idea, as it lets us use newer versions of
>> GnuTLS that support elliptic curves with the minimum amount of pain.
>
> I think this would be a good idea if GnuTLS doesn't depend on too many
> features of newer GMP.
>
> [...]
>> > #6 Move to GnuTLS3, drop GnuTLS2. Packages which cannot use GnuTLS3
>> > for license reasons will need to drop TLS support or be relicensed or
>> > be ported to a different TLS library.
>>
>> I don't think this option is a good idea.  It will leave git without
>> HTTPS support, since libcurl3-nss doesn't actually work for HTTPS.
>> libcurl3-nss requires an additional library not in Debian for the crypto
>> support to work at all, and despite me filing bugs, neither the NSS nor
>> the curl maintainers have stepped up to fix this.
>>
>> This also doesn't consider the fact that NSS provides poorer crypto
>> support than either OpenSSL or GnuTLS, although it's getting better.
>
> The free software world desparately needs a permissively licenced TLS
> library with sane default behaviour.  OpenSSL or GnuTLS seem to have
> failed us on both grounds, and I hope interested developers will
> cooperate with the Fedora developers in making NSS usable by more
> applications.

I plan to package http://rcritten.fedorapeople.org/nss_compat_ossl.html
Note that the certificate problem have been solved by recent p11-kit package

And if we solve https://bugzilla.mozilla.org/show_bug.cgi?id=402712 we
have something sane I think

Bastien

>
> Ben.
>
> --
> Ben Hutchings
> If at first you don't succeed, you're doing about average.


Reply to: