Wiki

• FrontPage
• RecentChanges
• FindPage
• HelpContents
• gnutls3

GnuTLS 3 in Debian

This page tries to sum up relevant information from the thread on debian-devel.

Intro

Debian ist still relying heavily on GnuTLS 2.12.x which is not sustainable for much longer.

State of Play

In July 2011 with version 3.0 GnuTLS switched to Nettle as only supported crypto backend. Nettle requires GMP.

GnuTLS and Nettle are available under LGPLv2.1+. GMP used to be licensed LGPLv2.1+ but upgraded to LGPLv3+ in version 4.2.2 (released September 2007).

Therefore GnuTLS 3.x cannot be used by GPLv2 (without "or later" clause) software which is the main reason most of Debian is still using GnuTLS 2.x.

Problems

GnuTLS 2.12.x is dated. It is upstream's old-old-old stable release (followed by 3.[012].x). The latest bugfix release happened in February 2012, later security fixes have not been solved by releases but by patches in GIT. GnuTLS 2.12.x does not work with the recently released libgcrypt 1.6.0. Therefore we will need keep another old library version around, since it is unprobable that upstream will devote resources to porting GnuTLS 2.12.x to newer libgcrypt.

How to continue from here/solve this

#1 Fork LGPLv2.1+ GMP (version 4.2.1) for Debian.

#2 Fork GnuTLS 2 for Debian.

#3 Hope that GMP is relicensed to GPL2+/LGPLv3+

#4 Hope nettle switches to a different arbitrary precision arithmetic library.

#5 Declare GMP to be a system library.

#6 Declare OpenSSL to be a system library and use it extensively instead of GnuTLS.

#7 Move to GnuTLS3, drop GnuTLS2. Packages which cannot use GnuTLS3 for license reasons will need to drop TLS support or be relicensed or be ported to a different TLS library.

Comments

Andreas Metzler

I do not think #1 and #2 are realistic given Debian's manpower issues. Also #1 would stop working at all if nettle started requiring newer GMP features. Nettle 2.7.1's testsuite does not succeed against LGPLv2.1+ GMP 4.2.1, some bufixes from later releases wuld already be needed.

I have given up on #3 and do not think it will happen. GMP upstream has been made aware of the issue in 2011 and has not shown any intention of a license change.

#4 is just here for completeness sake.

#5 was how Fedora looked at the OpenSSL library issue.

Fedora is discussing the issue in Bug 986347. There is an automatically generated depency tree with the problematic packages highlighted crosslinked in the bugreport. Debian does not have the infrastructure to do something similar, but I guess GnuTLS usage is more widespread.

Unsurprisingly there seems to be no consensus whether Debian should implement #5/#6 if it was legally safe (to be checked by Software Freedom Law Center).

Solution reached in March 2014

GMP was relicensed with version 6.0.0, it is now dual-licensed LGPLv3+/GPLv2+.