On 11.11.21 17:01, Russ Allbery wrote:
Alexander Traud <pabstraud@compuserve.com> writes:Debian is very much OpenSSL. However, I see some packages default to GnuTLS or even NSS without providing OpenSSL, although their source project supports it.Historically, use of GnuTLS was mostly because of licensing restrictions because OpenSSL was incompatible with GPL-licensed code. Now, OpenSSL is compatible with GPL v3 and Debian has (with some controversy) adopted a policy of treating it like a system library even for GPL v2 code, so at least some of the GnuTLS usage has switched to OpenSSL.Question(s): Is there a recommendation/guideline/policy that package maintainers should prefer a specific crypto library (OpenSSL?) if they cannot support all of them? If not, is there an argumentation aid to convince package maintainers.I don't believe there is a policy. In practice, I believe OpenSSL tends to be more interoperable and better-tested upstream than GnuTLS. There have been long-standing problems with GnuTLS not handling weird corner cases or bugs in other libraries. Some of these do get fixed over time, but that's still my general impression.
What a coincidence. Just the other day I received https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=999375 in rsyslog.Historically, I've leaned towards GnuTLS mainly for the cleaner licensing situation and because it was my impression that GnuTLS was the preferred TLS stack in Debian.
Nowadays I'm not so sure anymore, e.g. I'm even considering disabling GnuTLS support in librelp.
Just wondering if anyone would object to such a change? Michael
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature