Hi dkg,
On Wed, May 20, 2015 at 12:58:08PM -0400, Daniel Kahn Gillmor wrote:
https://bugs.debian.org/725153 suggests moving openldap's TLS backend in
debian from gnutls to nss.
The reasons given appear to be the older gnutls/gcrypt suid problem
(which is quite a serious concern, particularly for libpam_ldap), and
that newer gnutls/nettle introduces some licensing issues.
My understanding was that motivation for the request was wanting to
provide a fully-featured freeipa server in Debian, while some of its
features (specifically replication) only work properly when using
libldap built with nss.
The licensing issues have been resolved by nettle relicensing to LGPL 3+
or GPL 2+, effective in nettle 3.0:
http://mid.gmane.org/[email protected]
Since 2.4.40-1 (in jessie) we already build with gnutls28 and nettle,
based on libgmp having changed its license (#745231), but jessie only
has nettle 2.7. I hope I didn't introduce a licensing problem by doing
that? IIUC we take gmp as GPLv2+, nettle as LGPLv2.1+, and gnutls as
LGPLv2.1+, so the combination should be compatible with GPLv2+.
If the work to switch openldap to NSS is strictly because of licensing
concerns that have been resolved since the bug was opened, please
reconsider the switch.
I don't think anyone intends to switch the default libldap or slapd to
nss. I personally would argue against causing that kind of upgrade pain.
There's still a possibility of providing an alternate libldap built with
nss, but that would take some work, and it sounds like freeipa upstream
are moving away from needing it anyway. So this bug will probably just
go away eventually.
hope that helps,
Ryan
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
