Re: TODO: GNU TLS - Mailing list pgsql-hackers

From Stephen Frost
Subject Re: TODO: GNU TLS
Date
Msg-id 20061228231051.GX24675@kenobi.snowman.net
Whole thread Raw
In response to Re: TODO: GNU TLS  (Andrew Dunstan <andrew@dunslane.net>)
List pgsql-hackers
* Andrew Dunstan (andrew@dunslane.net) wrote:
> Stephen Frost wrote:
> >I do know that this has been an issue for
> >Debian for quite some time and it seems rather unlikely that Debian's
> >position on it will change.  SPI does have a pro-bono lawyer but I
> >don't know that this question has been posed to him, probably because
> >the general consensus among the Debian Powers that Be is that it is an
> >issue and we try to not bother our pro-bono lawyer too much (being, uh,
> >pro-bono and all).
> >
>
> I have a sneaking suspicion that there are some hidden agendas in all this.

I'm certainly not aware of any personally.  I doubt Debian in general
does either since this isn't exactly a fun thing for us to have to deal
with.

> I agree with this comment from Steve Langasek at
> http://lists.debian.org/debian-legal/2003/01/msg00022.html :

Unfortunately, the glue hasn't been made available under the LGPL.
While I agree with Steve generally (and in fact have been discussing
this whole bit with him on IRC), in this case he's right but the point
is moot- it *could* be done, but it *hasn't* been done.  The options are
to go ask the original author about relicensing it (which I think has
actually been done already) or rewriting it (which apparently hasn't
been done).

> >Sure, code can be rewritten to use gnutls natively.  But I don't
> >understand why anyone would consider this a useful expenditure of
> >developer resources when the necessary OpenSSL compat glue could simply
> >be made available under the LGPL.
>
> If this is such an issue, why hasn't somebody done that?

Based on what I've seen happen to date it appears that projects would
rather just include GNUTLS support directly than write a wrapper to
support the OpenSSL API using GNUTLS.  Indeed, that's exactly the
approach Martijn took as well.  My guess as to why this would be is that
it's simply not *that* difficult to do and maintain, and in the end
perhaps some prefer the GNUTLS API over the OpenSSL API, or feel that
more things are moving in that direction.  I don't know, I can't speak
for them so I'm really just speculating, but the empirical evidence is
that projects support GNUTLS and there doesn't exist a non-GPL OpenSSL
API for GNUTLS yet.  I understand that at least some GPL projects do use
the GPL OpenSSL API for GNUTLS but it's not common. (fe: I know exim4,
elinks, mutt, samba, curl/libcurl, and others support GNUTLS directly
while the only project I've heard of using the wrapper is slrn, cupsys
used the compat layer at one point but then changed to using GNUTLS
directly).  Maybe people feel that using a compat layer is uglier than
using GNUTLS directly?
Thanks,
    Stephen

pgsql-hackers by date:

Previous
From: Andrew Dunstan
Date:
Subject: Re: Recent SIGSEGV failures in buildfarm HEAD
Next
From: mark@mark.mielke.cc
Date:
Subject: Re: TODO: GNU TLS