[gnutls-devel] dane - limited usability die to (indirect) OpenSSL dependency
nmav at gnutls.org
Sat Dec 28 15:34:18 CET 2013
On Sat, 2013-12-28 at 14:55 +0100, Andreas Metzler wrote:
> Apart from the licensing issue it is imho more than a little bit ugly
> that software using libgnutls-dane links against both GnuTLS and
> Checking unbound's ./configure I see that it could also be built
> against NSS instead of OpenSSL. This would get rid of the OpenSSL
> license problem, but still any libgnutls-dane user would depend on not
> only one, but two of the three major TLS toolkits.
I understand that and this was the reason libgnutls-dane was made a
separate library. On my part I don't think there is much I can do.
Libunbound is the only dnssec library I could find, so switching to
another isn't (currently) an option.
At the time adding this support I thought that having support for DANE
was more important than linking and dependency issues.
>  I am aware that there are divided opinions on this subject. e.g.
> Fedora uses the system library exeption clause for OpenSSL.
> But e.g. Debian has always tried to not ship GPL software linked
> against OpenSSL and although this might change would not count on it.
I understand Debian's approach but I cannot think of anything I could do
in gnutls-dane to solve that. While I'd be happy to drop unbound and use
another library for dnssec resolving, I know of no other alternatives.
More information about the Gnutls-devel