Bug#727660: gnutls28: CVE-2013-4466: GNUTLS-SA-2013-3
Andreas Metzler
ametzler at bebt.de
Sun Oct 27 14:17:07 UTC 2013
On 2013-10-26 Daniel Kahn Gillmor <dkg at fifthhorseman.net> wrote:
> On 10/26/2013 02:24 AM, Andreas Metzler wrote:
> >> On Fri, Oct 25, 2013 at 09:56:58AM -0400, Daniel Kahn Gillmor wrote:
> >>> btw, it's not clear to me why we --disable-libdane -- I see that it was
> >>> set (along with --without-tpm) in 3.1.3-1, but i don't see the reason
> >>> for it. could that be clarified someplace?
>> --without-tpm had some license rationale, --disable-libdane might have
>> been related to licensing (I think it was one of the leftover LGPLv3
>> GnuTLS parts at this time and I have not completely given up on a
>> LGPLv2+ GnuTLS stack.). If there is *strong* interest in libdane I can
>> doublecheck and enable if feasible (or else document).
> I am interested in libdane, and would like to know what the rationale
> is. I'd also be curious to know more about "some license rationale" for
> --without-tpm, though i consider TPM of much lower interest compared to
> DANE.
Hello,
tpm used to be undistributable, see
<https://gitorious.org/gnutls/gnutls/commit/0fcbd34c953304dd06ebd49389af4b78575bd55b>
and
<http://lists.gnutls.org/pipermail/gnutls-devel/2013-October/006539.html>.
The dane situation is slightly better, but still sucks. libdane
requires and links against libunbound. libunbound OTOH is linked
against OpenSSL's libssl on Debian[1]. Therefore libdane and any
program using it ends up being dynamically linked against both libssl
(OpenSSL license) and GnuTLS (LGPLv3+ via gmp).
The result is not undistributable but not very useful, since it is
e.g. GPL-incompatible.[2] Apart from that it is more than a little bit
ugly that libdane customers end up being linked against two different
major TLS toolkits.
cu Andreas
[1] From a quick look at unbound's ./configure it looks like it could
use NSS instead of OpenSSL. I guess the license situation might be
better then, but the ugliness still remains.
[2] GnuTLS' danetool commandline program is GPLv3 and would therefore
be undistributable.
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-gnutls-maint
mailing list