Hi Jan, On 10-11-2019 01:10, Jay Berkenbilt wrote: > I can build qpdf 9.1 for Debian in one of three ways: 1) use only the > native crypto as in all previous releases, thus avoiding a dependency > on gnutls; 2) build only the gnutls crypto provider thus causing a > dependency on gnutls but eliminating the native crypto entirely; or 3) > building both crypto providers, in which case gnutls will be used by > default, but developers and end users will have the ability to select > the native crypto provider at runtime if desired. > > Do you have an opinion about which way I should go? I believe RHEL and > Fedora are going to use the second option of building with only gnutls > and dropping native crypto, but I have also enjoyed the fact that qpdf > has so few build dependencies. It is possible that a future version of > qpdf may support digital signature, in which case I will definitely > have to add either openssl or gnutls as a dependency.
I think the opinion of the security team is valued most here, and I am pretty sure they will opt for 2. From the release team point of view, I don't think there are any objections to having a longer list of (build-) dependencies, so I would encourage you to use non-native crypto. Paul
signature.asc
Description: OpenPGP digital signature
