Alexander Traud <pabstraud@compuserve.com> writes:
Debian is very much OpenSSL. However, I see some packages default to
GnuTLS or even NSS without providing OpenSSL, although their source
project supports it.
Historically, use of GnuTLS was mostly because of licensing restrictions
because OpenSSL was incompatible with GPL-licensed code. Now, OpenSSL is
compatible with GPL v3 and Debian has (with some controversy) adopted a
policy of treating it like a system library even for GPL v2 code, so at
least some of the GnuTLS usage has switched to OpenSSL.
Question(s): Is there a recommendation/guideline/policy that package
maintainers should prefer a specific crypto library (OpenSSL?) if they
cannot support all of them? If not, is there an argumentation aid to
convince package maintainers.
I don't believe there is a policy.
In practice, I believe OpenSSL tends to be more interoperable and
better-tested upstream than GnuTLS. There have been long-standing
problems with GnuTLS not handling weird corner cases or bugs in other
libraries. Some of these do get fixed over time, but that's still my
general impression.
Also, if a software package was written to use OpenSSL, the OpenSSL
compatibility layer in GnuTLS is very limited (I say this as someone who
tried to use it for a package for several years) and tends to cause a lot
of problems.
NSS probably doesn't have the same interoperability problems. I
personally have no opinions about using it. (Didn't Red Hat attempt to
standardize on NSS a while back? I feel like that didn't work and they
stopped that effort, but some quick searching didn't uncover any support
for that belief.)