[gnutls-devel] dane - limited usability die to (indirect) OpenSSL dependency
Andreas Metzler
ametzler at bebt.de
Sat Dec 28 14:55:12 CET 2013
Hello,
I do not know whether you are aware of it but distributing libgnutls-dane
does not make a lot of sense currently:
(SID)ametzler at argenau:/tmp/GNUTLS/gnutls-3.2.8/libdane$ objdump -p .libs/libgnutls-dane.so | grep '^ *NEED'
NEEDED libgnutls.so.28
NEEDED libunbound.so.2
NEEDED libc.so.6
(SID)ametzler at argenau:/tmp/GNUTLS/gnutls-3.2.8/libdane$ objdump -p /usr/lib/i386-linux-gnu/libunbound.so.2 | grep '^ *NEED'
NEEDED libssl.so.1.0.0
NEEDED libldns.so.1
NEEDED libdl.so.2
NEEDED libcrypto.so.1.0.0
NEEDED libpthread.so.0
NEEDED libc.so.6
gnutls is LGPLv2.1+ (with a LGPLv3+ dependency), libunbound seems to
be BSD-ish (3-clause) but depends on OpenSSL. (Debian binary
distribution.)
As a curiosity there is also danetool(1) which is GPLv3+ and therefore
may not[1] be distributed linked against OpenSSL.
Apart from the licensing issue it is imho more than a little bit ugly
that software using libgnutls-dane links against both GnuTLS and
OpenSSL.
Checking unbound's ./configure I see that it could also be built
against NSS instead of OpenSSL. This would get rid of the OpenSSL
license problem, but still any libgnutls-dane user would depend on not
only one, but two of the three major TLS toolkits.
cu Andreas
[1] I am aware that there are divided opinions on this subject. e.g.
Fedora uses the system library exeption clause for OpenSSL.
<https://fedoraproject.org/wiki/Licensing:FAQ?rd=Licensing/FAQ#What.27s_the_deal_with_the_OpenSSL_license.3F>
But e.g. Debian has always tried to not ship GPL software linked
against OpenSSL and although this might change would not count on it.
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Gnutls-devel
mailing list