Matheus Morais matheus.morais@gmail.com writes:
First of all let me reconsider my opinion after a carefully read on Quanah arguments and references about OpenLDAP packages around some distros. I had read the archives of this list, specifically about GnuTLS problems with OpenLDAP on Debian and now I understand the point of view of OpenLDAP developers. In fact, not only understands as I fully support it now. So sorry if was missing the point at my first email.
I don't think anyone is happy about the multiple SSL library situation. We (Debian) believe that not using OpenSSL is legally required by the mixture of licenses in question and that we have no choice unless we were to remove from the distribution all software covered by the GPL and using the OpenLDAP libraries. Obviously, other people's legal advice differs, but we can only go with the legal framework that we have available.
Due to its nature, Debian has to be somewhat more conservative on legal questions since the project has no legal existence and hence no corporate or other organizational liability shield. If we screw up on legal questions, *individual people* potentially get sued. Although I note that Ubuntu (which I'm not involved in), which does have an organizational liability shield, is also taking the same stance.
It's one of those cases where the risk of an adverse event are very low, but the negative consequences are potentially high.
I do think that the security concerns with GnuTLS tend to be somewhat overstated on this list when summarized (and in a way that's not horribly helpful in improving the overall quality of the package, not that it's the obligation of anyone here to help with that). But, regardless, Debian, as the distributor who wants to use GnuTLS against the explicit advice of the OpenLDAP developers, should carry the burden of investigating, reducing to reproducible test cases, and reporting problems that are best corrected in the OpenLDAP side of the interface. That's not currently happening due to the same lack of volunteer time discussed in my previous message, and that's not the fault of the OpenLDAP maintainers.