HI!
IMHO OpenLDAP project should drop support for building against GNUTLS and libnss. Support for these seems to be largely non-existent and it's a waste of time, especially since there is no build pipeline and no automatic testing for all the variants.
The support for libnss was done by RedHat for the unified crypto project which is AFAICS obsolete. Does anybody maintain the stuff?
The support for GNUTLS was requested by Debian folks because of OpenSSL licensing paranoia. Does anybody maintain the stuff? The question is whether this is still revelavant with OpenSSL 3.0.0 moving to Apache-2.0 license [1]. [2] says APL-2.0 is not compatible with GPLv2 though.
Ciao, Michael.
On Sat, Jul 20, 2019 at 12:13:38PM +0200, Michael Ströder wrote:
The support for GNUTLS was requested by Debian folks because of OpenSSL licensing paranoia. Does anybody maintain the stuff?
As the Debian maintainer I consider the GnuTLS support primarily my responsibility at this point, so yes, I do try to respond and investigate GnuTLS related issues. Luckily many of these get handled through the Debian bugtracker before this side ever hears of them. But I'm only reacting to issues that are reported to me; I'm not an active OpenLDAP user myself.
The question is whether this is still revelavant with OpenSSL 3.0.0 moving to Apache-2.0 license [1]. [2] says APL-2.0 is not compatible with GPLv2 though.
Unfortunately that's correct - the Apache license does not solve the issue for binaries containing GPLv2 code without an OpenSSL exception.
On 7/20/19 6:07 PM, Ryan Tandy wrote:
On Sat, Jul 20, 2019 at 12:13:38PM +0200, Michael Ströder wrote:
The question is whether this is still revelavant with OpenSSL 3.0.0 moving to Apache-2.0 license [1]. [2] says APL-2.0 is not compatible with GPLv2 though.
Unfortunately that's correct - the Apache license does not solve the issue for binaries containing GPLv2 code without an OpenSSL exception.
How many GPLv2 licensed Debian packages link libldap?
Ciao, Michael.
On Sun, Jul 21, 2019 at 12:53 PM Michael Ströder michael@stroeder.com wrote:
On 7/20/19 6:07 PM, Ryan Tandy wrote:
On Sat, Jul 20, 2019 at 12:13:38PM +0200, Michael Ströder wrote:
The question is whether this is still revelavant with OpenSSL 3.0.0 moving to Apache-2.0 license [1]. [2] says APL-2.0 is not compatible with GPLv2 though.
Unfortunately that's correct - the Apache license does not solve the issue for binaries containing GPLv2 code without an OpenSSL exception.
How many GPLv2 licensed Debian packages link libldap?
Ciao, Michael.
I can confirm RHEL/CentOS nor Fedora downstreams in their most active releases no longer actively use the code from tls_m.c. Therefore its removal should be OK in 2.4 branch, from point of view of these distros.
I'm also CCing Nikos in case he would like to share anything relevant regarding GnuTLS.
Regards, Matus
--On Monday, July 22, 2019 4:33 PM +0200 Matus Honek mhonek@redhat.com wrote:
I can confirm RHEL/CentOS nor Fedora downstreams in their most active releases no longer actively use the code from tls_m.c. Therefore its removal should be OK in 2.4 branch, from point of view of these distros.
Hi Matúš,
We do not plan on removing the moznss support from RE24 as that would be too invasive of a change and the goal really is to wrap up 2.4 and start releasing 2.5. So the plan is to remove the MozNSS support from RE25 prior to it releases. Thanks for the confirmation that RHEL/CentOS and Fedora no longer make use of it.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Saturday, July 20, 2019 1:13 PM +0200 Michael Ströder michael@stroeder.com wrote:
The support for libnss was done by RedHat for the unified crypto project which is AFAICS obsolete. Does anybody maintain the stuff?
There's already an ITS for removing the MozNSS bits from 2.5 somewhere, IIRC. But yes, that's the plan for that portion. As Ryan already noted, there are issues with OpenSSL moving to the Apache License that may actually make it harder for us to get rid of GnuTLS support. I argued heavily with the OpenSSL folks against using Apache because of its GPLv2 incompatibilities, but unfortunately that went nowhere (I suggested the MPLv2 instead, since it has patent protections (which is what they're looking for) and is compatible with the GPLv2). Oh well. :/
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
-
Matus Honek -
Michael Ströder -
Quanah Gibson-Mount -
Ryan Tandy