On Mon, Sep 17, 2012 at 05:30:44PM +0200, gregor herrmann wrote: > On Sun, 16 Sep 2012 20:19:56 +0200, Alessandro Ghedini wrote: > > Ciao Alessandro, > > thanks alot for taking the time to shed some light here!
No problem
> > > Directly depending on libcurl3* packages is of no use: either the
> > > application
> > > links to a libcurl flavour, in which case it would already Depends on a
> > > suitable
> > > libcurl3 package, or it doesn't and it wouldn't pick up the library even
> > > if
> > > installed
>
> Makes sense ... But liboauth does link (and therefore depend on) one
> of the curl libs, unless forced to do otherwise.
My comment was about the "do not build-depends on libcurl4*-dev and manually
depend on a libcurl3*" solution exposed above, which wouldn't work.
> What I've done now, since I'm more interested in #650138 actually :)
I think I see the problem: the NSS libcurl flavour needs a proper NSS
certificate database (just like any other application using NSS, e.g. chromium
and firefox generate their own databases), otherwise the SSL/TLS support is
mostly broken (i.e. the certificate checks always fail, see #655628).
Now I'm not really into OAuth nor Twitter-like things, but I guess that Twitter
and Identi.ca provide an HTTPS end-point for their OAuth APIs... HTTPS requires
SSL/TLS certificate checking by default... I guess you see where this is going.
I think liboauth use of NSS does not involve certificate checking but libcurl's,
unless otherwise told, does. But they are independent.
From liboauth 0.9.4-3 changelog:
* Sync from Ubuntu:
[ Mathieu Trudel-Lapierre ]
* debian/control: liboauth-dev really needs libcurl4-nss-dev, not
libcurl4-gnutls-dev (nss is required in the .pc file)
(closes: #646485, #639565)
[ Sjoerd Simons ]
* collab-main team update
* debian/control: Swith build-depend to libcurl4-nss-dev from
libcurl4-gnutls-dev. oauth itself uses nss for SSL
That probably explains why liboauth and in turn bti stopped working from that
version.
So, to recap, IMO liboauth and bti (well, I'm not really sure about bti... but
that doesn't hurt) should build-depend on libcurl4-gnutls-dev, which would fix
#650138, and liboauth-dev should depend on libcurl4-gnutls-dev | libcurl4-dev,
which would fix #639565 (as exposed in the submission email).
libcurl3* runtime independence is not possible unless leaving libcurl's symbols
unresolved (as explained a few emails ago). But I don't quite see why one would
want the independence in the first place. To quote Tsukasa Hamano: "The depends
is force developper to link with gnutls", I'm not quite sure what he meant, but
the developer (using liboauth) is not forced to link againt anything, liboauth
is, but it doesn't affect the developer using it. And when using a static
liboauth
(i.e. what the Requires.private in oauth.pc and the liboauth-dev Depends are
for) one can choose any libcurl. If really needed, one can rebuild liboauth from
source, in which case "libcurl4-gnutls-dev | libcurl4-dev" in its build-depend
would help.
Cheers
--
perl -E '$_=q;$/= @{[@_]};and s;\S+;<inidehG ordnasselA>;eg;say~~reverse'
signature.asc
Description: Digital signature
