[gnutls-help] Shall we update Nettle version requirement?
Simon Josefsson
simon at josefsson.org
Fri Nov 7 12:58:21 CET 2025
+1
We'll never fully know if this is a real deal-breaker for anyone until
we try, so I suggest just bumping the requirement in a soonish GnuTLS
release, and then wait for people to package it, and only later start to
remove the duplicate code that is no longer needed.
/Simon
Daiki Ueno <ueno at gnu.org> writes:
> Hello,
>
> Provoked by this issue[1], I started thinking about updating the minimum
> version of Nettle required by GnuTLS. Currently it's 3.6, while 3.10
> was released 1.5 years ago. By updating it, we can eliminate the
> bundled copies of RSA-OAEP, AES-GCM-SIV, and SHAKE implementations, as
> well as the CVE-2021-4209 fix. Given Nettle 3.10.2 is ABI compatible
> with 3.6, I'm assuming that there is little impact to downstreams.
>
> Any thoughts?
>
> Footnotes:
> [1] https://gitlab.com/gnutls/gnutls/-/issues/1759
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1251 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnutls-help/attachments/20251107/51d7bd4a/attachment.sig>
More information about the Gnutls-help
mailing list