[gnutls-devel] dane - limited usability die to (indirect) OpenSSL dependency
ametzler at bebt.de
Sat Dec 28 14:55:12 CET 2013
I do not know whether you are aware of it but distributing libgnutls-dane
does not make a lot of sense currently:
(SID)ametzler at argenau:/tmp/GNUTLS/gnutls-3.2.8/libdane$ objdump -p .libs/libgnutls-dane.so | grep '^ *NEED'
(SID)ametzler at argenau:/tmp/GNUTLS/gnutls-3.2.8/libdane$ objdump -p /usr/lib/i386-linux-gnu/libunbound.so.2 | grep '^ *NEED'
gnutls is LGPLv2.1+ (with a LGPLv3+ dependency), libunbound seems to
be BSD-ish (3-clause) but depends on OpenSSL. (Debian binary
As a curiosity there is also danetool(1) which is GPLv3+ and therefore
may not be distributed linked against OpenSSL.
Apart from the licensing issue it is imho more than a little bit ugly
that software using libgnutls-dane links against both GnuTLS and
Checking unbound's ./configure I see that it could also be built
against NSS instead of OpenSSL. This would get rid of the OpenSSL
license problem, but still any libgnutls-dane user would depend on not
only one, but two of the three major TLS toolkits.
 I am aware that there are divided opinions on this subject. e.g.
Fedora uses the system library exeption clause for OpenSSL.
But e.g. Debian has always tried to not ship GPL software linked
against OpenSSL and although this might change would not count on it.
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Gnutls-devel