3:13 a.m.
HI!
IMHO OpenLDAP project should drop support for building against GNUTLS
and libnss. Support for these seems to be largely non-existent and it's
a waste of time, especially since there is no build pipeline and no
automatic testing for all the variants.
The support for libnss was done by RedHat for the unified crypto project
which is AFAICS obsolete. Does anybody maintain the stuff?
The support for GNUTLS was requested by Debian folks because of OpenSSL
licensing paranoia. Does anybody maintain the stuff?
The question is whether this is still revelavant with OpenSSL 3.0.0
moving to Apache-2.0 license [1]. [2] says APL-2.0 is not compatible
with GPLv2 though.
Ciao, Michael.
[1] https://www.openssl.org/blog/blog/categories/license/
[2] https://www.gnu.org/licenses/license-list.html#apache2
9:07 a.m.
On Sat, Jul 20, 2019 at 12:13:38PM +0200, Michael Ströder wrote:
The support for GNUTLS was requested by Debian folks because of
OpenSSL
licensing paranoia. Does anybody maintain the stuff?
As the Debian maintainer I consider the GnuTLS support primarily my
responsibility at this point, so yes, I do try to respond and
investigate GnuTLS related issues. Luckily many of these get handled
through the Debian bugtracker before this side ever hears of them. But
I'm only reacting to issues that are reported to me; I'm not an active
OpenLDAP user myself.
The question is whether this is still revelavant with OpenSSL 3.0.0
moving to Apache-2.0 license [1]. [2] says APL-2.0 is not compatible
with GPLv2 though.
Unfortunately that's correct - the Apache license does not solve the
issue for binaries containing GPLv2 code without an OpenSSL exception.
3:51 a.m.
On 7/20/19 6:07 PM, Ryan Tandy wrote:
On Sat, Jul 20, 2019 at 12:13:38PM +0200, Michael Ströder wrote:
> The question is whether this is still revelavant with OpenSSL 3.0.0
> moving to Apache-2.0 license [1]. [2] says APL-2.0 is not compatible
> with GPLv2 though.
Unfortunately that's correct - the Apache license does not solve the
issue for binaries containing GPLv2 code without an OpenSSL exception.
How many GPLv2 licensed Debian packages link libldap?
Ciao, Michael.
6:33 a.m.
On Sun, Jul 21, 2019 at 12:53 PM Michael Ströder <michael(a)stroeder.com> wrote:
On 7/20/19 6:07 PM, Ryan Tandy wrote:
> On Sat, Jul 20, 2019 at 12:13:38PM +0200, Michael Ströder wrote:
>> The question is whether this is still revelavant with OpenSSL 3.0.0
>> moving to Apache-2.0 license [1]. [2] says APL-2.0 is not compatible
>> with GPLv2 though.
>
> Unfortunately that's correct - the Apache license does not solve the
> issue for binaries containing GPLv2 code without an OpenSSL exception.
How many GPLv2 licensed Debian packages link libldap?
Ciao, Michael.
I can confirm RHEL/CentOS nor Fedora downstreams in their most active
releases no longer actively use the code from tls_m.c. Therefore its
removal should be OK in 2.4 branch, from point of view of these
distros.
I'm also CCing Nikos in case he would like to share anything relevant
regarding GnuTLS.
Regards,
Matus
--
Matúš Honěk
Software Engineer
Red Hat Czech
6:49 a.m.
--On Monday, July 22, 2019 4:33 PM +0200 Matus Honek <mhonek(a)redhat.com>
wrote:
I can confirm RHEL/CentOS nor Fedora downstreams in their most
active
releases no longer actively use the code from tls_m.c. Therefore its
removal should be OK in 2.4 branch, from point of view of these
distros.
Hi Matúš,
We do not plan on removing the moznss support from RE24 as that would be
too invasive of a change and the goal really is to wrap up 2.4 and start
releasing 2.5. So the plan is to remove the MozNSS support from RE25 prior
to it releases. Thanks for the confirmation that RHEL/CentOS and Fedora no
longer make use of it.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
9:30 a.m.
--On Saturday, July 20, 2019 1:13 PM +0200 Michael Ströder
<michael(a)stroeder.com> wrote:
The support for libnss was done by RedHat for the unified crypto
project
which is AFAICS obsolete. Does anybody maintain the stuff?
There's already an ITS for removing the MozNSS bits from 2.5 somewhere,
IIRC. But yes, that's the plan for that portion. As Ryan already noted,
there are issues with OpenSSL moving to the Apache License that may
actually make it harder for us to get rid of GnuTLS support. I argued
heavily with the OpenSSL folks against using Apache because of its GPLv2
incompatibilities, but unfortunately that went nowhere (I suggested the
MPLv2 instead, since it has patent protections (which is what they're
looking for) and is compatible with the GPLv2). Oh well. :/
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
1530
days inactive
1532
days old
5 comments
4 participants
participants (4)
-
Matus Honek -
Michael Ströder -
Quanah Gibson-Mount -
Ryan Tandy