[gnutls-devel] dane - limited usability die to (indirect) OpenSSL dependency

Andreas Metzler ametzler at bebt.de
Sat Dec 28 14:55:12 CET 2013


Hello,

I do not know whether you are aware of it but distributing libgnutls-dane
does not make a lot of sense currently:

(SID)ametzler at argenau:/tmp/GNUTLS/gnutls-3.2.8/libdane$ objdump -p .libs/libgnutls-dane.so | grep '^ *NEED'
  NEEDED               libgnutls.so.28
  NEEDED               libunbound.so.2
  NEEDED               libc.so.6
(SID)ametzler at argenau:/tmp/GNUTLS/gnutls-3.2.8/libdane$ objdump -p /usr/lib/i386-linux-gnu/libunbound.so.2 | grep '^ *NEED'
  NEEDED               libssl.so.1.0.0
  NEEDED               libldns.so.1
  NEEDED               libdl.so.2
  NEEDED               libcrypto.so.1.0.0
  NEEDED               libpthread.so.0
  NEEDED               libc.so.6

gnutls is LGPLv2.1+ (with a LGPLv3+ dependency), libunbound seems to
be BSD-ish (3-clause) but depends on OpenSSL. (Debian binary
distribution.)

As a curiosity there is also danetool(1) which is GPLv3+ and therefore
may not[1] be distributed linked against OpenSSL.

Apart from the licensing issue it is imho more than a little bit ugly
that software using libgnutls-dane links against both GnuTLS and
OpenSSL.

Checking unbound's ./configure I see that it could also be built
against NSS instead of OpenSSL. This would get rid of the OpenSSL
license problem, but still any libgnutls-dane user would depend on not
only one, but two of the three major TLS toolkits.

cu Andreas

[1] I am aware that there are divided opinions on this subject. e.g.
Fedora uses the system library exeption clause for OpenSSL.
<https://fedoraproject.org/wiki/Licensing:FAQ?rd=Licensing/FAQ#What.27s_the_deal_with_the_OpenSSL_license.3F>
But e.g. Debian has always tried to not ship GPL software linked
against OpenSSL and although this might change would not count on it.
-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'



More information about the Gnutls-devel mailing list