[gnutls-devel] dane - limited usability die to (indirect) OpenSSL dependency

Andreas Metzler ametzler at bebt.de
Sat Dec 28 14:55:12 CET 2013


I do not know whether you are aware of it but distributing libgnutls-dane
does not make a lot of sense currently:

(SID)ametzler at argenau:/tmp/GNUTLS/gnutls-3.2.8/libdane$ objdump -p .libs/libgnutls-dane.so | grep '^ *NEED'
  NEEDED               libgnutls.so.28
  NEEDED               libunbound.so.2
  NEEDED               libc.so.6
(SID)ametzler at argenau:/tmp/GNUTLS/gnutls-3.2.8/libdane$ objdump -p /usr/lib/i386-linux-gnu/libunbound.so.2 | grep '^ *NEED'
  NEEDED               libssl.so.1.0.0
  NEEDED               libldns.so.1
  NEEDED               libdl.so.2
  NEEDED               libcrypto.so.1.0.0
  NEEDED               libpthread.so.0
  NEEDED               libc.so.6

gnutls is LGPLv2.1+ (with a LGPLv3+ dependency), libunbound seems to
be BSD-ish (3-clause) but depends on OpenSSL. (Debian binary

As a curiosity there is also danetool(1) which is GPLv3+ and therefore
may not[1] be distributed linked against OpenSSL.

Apart from the licensing issue it is imho more than a little bit ugly
that software using libgnutls-dane links against both GnuTLS and

Checking unbound's ./configure I see that it could also be built
against NSS instead of OpenSSL. This would get rid of the OpenSSL
license problem, but still any libgnutls-dane user would depend on not
only one, but two of the three major TLS toolkits.

cu Andreas

[1] I am aware that there are divided opinions on this subject. e.g.
Fedora uses the system library exeption clause for OpenSSL.
But e.g. Debian has always tried to not ship GPL software linked
against OpenSSL and although this might change would not count on it.
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

More information about the Gnutls-devel mailing list