On Sun, 2013-12-22 at 19:52 +0000, brian m. carlson wrote: > On Sun, Dec 22, 2013 at 08:12:40PM +0100, Andreas Metzler wrote: > > How to continue from here/solve this: > > --------- > > #1 Fork LGPLv2.1+ GMP (version 4.2.1) for Debian. > > This seems like the best idea, as it lets us use newer versions of > GnuTLS that support elliptic curves with the minimum amount of pain.
I think this would be a good idea if GnuTLS doesn't depend on too many features of newer GMP. [...] > > #6 Move to GnuTLS3, drop GnuTLS2. Packages which cannot use GnuTLS3 > > for license reasons will need to drop TLS support or be relicensed or > > be ported to a different TLS library. > > I don't think this option is a good idea. It will leave git without > HTTPS support, since libcurl3-nss doesn't actually work for HTTPS. > libcurl3-nss requires an additional library not in Debian for the crypto > support to work at all, and despite me filing bugs, neither the NSS nor > the curl maintainers have stepped up to fix this. > > This also doesn't consider the fact that NSS provides poorer crypto > support than either OpenSSL or GnuTLS, although it's getting better. The free software world desparately needs a permissively licenced TLS library with sane default behaviour. OpenSSL or GnuTLS seem to have failed us on both grounds, and I hope interested developers will cooperate with the Fedora developers in making NSS usable by more applications. Ben. -- Ben Hutchings If at first you don't succeed, you're doing about average.
signature.asc
Description: This is a digitally signed message part
