[gnutls-dev] Re: libgwenhywfar and gnucash

Simon Josefsson jas at extundo.com
Fri Jun 9 11:48:51 CEST 2006

Thomas Bushnell BSG <tb at becket.net> writes:

> Ok, we need your help, and maybe you guys can help us.

I'll try!

> I am the Debian maintainer for gnucash.  gnucash offers a feature to
> connect to banks, called HBCI, which for supporting banks, allows you
> to download your financials very conveniently.  This is very common in
> Germany.
> Debian does this with the aqbanking library.  aqbanking uses a
> portability library called gwenhywfar to, among other things, deal
> with ssl.  gwenhywfar links with openssl.
> As we know, openssl is not GPL compatible.  To get around this,
> aqbanking and gwenhywfar both contain a special exception to allow
> linking with openssl.
> But that's not good enough (and this is verified with the GPL
> Compliance Lab); *everything* in the gnucash binary which is GPL'd
> would need to have that exception.  Needless to say, that's a lot of
> gnome, and long-vanished gnucash developers, and other people who
> would all need to give permission.  Ain't gonna happen.
> The normal thing to do is simply to link the code in question
> (gwenhywfar) with gnutls instead of openssl.  Supposedly, gnutls is
> advertised as a drop-in replacement for openssl.

Where have you seen this?  I don't think we advertise the OpenSSL
compatibility layer in GnuTLS prominently, and when it is mentioned,
it should says that it is unfinished and limited.

If you'd tell us where you got this impression, I could try to improve
the documentation.

The OpenSSL emulation layer in GnuTLS is quite thin, and I wouldn't
recommend anyone to use it unless they have a very strong reason to do
so.  I haven't seen a good reason here yet.

> But, alas, it ain't.  gwenhywfar uses features of openssl that gnutls
> doesn't support.
> And this brings me to you all.  Can I hook someone from the gnutls
> team up with someone who knows gwenhywfar, so that gnutls can support
> what gwenhywfar needs?

I'm listening.  First I'd like to try to convince you to use the
GnuTLS API instead.  It will probably be less work than fixing the
OpenSSL compatibility layer to do what you want.  What do you think?

If there is anything in the GnuTLS API that is missing, or some
utility function that would help smooth the transition, we can surely
do something.


More information about the Gnutls-devel mailing list