On Sun, 2002-11-03 at 01:02, Andrew Lau wrote: > I just looked at that > cupsys-1.1.15/config-scripts/cups-openssl.m4 and I find no mention of > GnuTLS in there at all. Then I took at look at debian/rules and > noticed that cupsys isn't even built with SSL or TLS enabled. > > ./configure --with-optim=$(DEB_OPTFLAGS) \ > --with-cups-group=lpadmin --mandir=/usr/share/man \ > --with-docdir=/usr/share/cups/doc-root --disable-ssl --enable-slp
SSL support was added in the 1.1.15 series, removed almost immediately after, and re-added in 1.1.16-1 using the GNU TLS compatibility library. As of this moment, the SSL-using CUPS has not reached testing. > So this leaves me with a few problems. > > 1. I still don't know what steps are neccessary to convert an OpenSSL > program into one that uses GnuTLS for encryption. You can look at the cupsys packages in unstable, though I should point out that the support is still very flaky. It's actually not that difficult. You need to detect which SSL lib you're using, and include different headers based on that. Also, when you initialize a SSL connection, OpenSSL allows you to specify that a connection may be used for either client or server purposes, but GNU TLS forces you to choose. That's all I've experienced so far with it. > 2. Until #16748 - cupsys needs a "Build-Conflicts: libssl-dev" is > resolved, any cupsys-pt client will have no encrypted CUPS server > in Debian to talk to. That technically doesn't affect the presence or absence of SSL cupsd/libcups; it's more of a safety harness for preventing inadvertent license violations. I have actually fixed the bug in a slightly different way than the bug title implies. Essentially, the configure script can now be told to ignore installed OpenSSL libs, and debian/rules passes that flag unless told explicitly not to. > From my understanding of the above two clauses, cupsys can be > built with OpenSSL support enabled. So why is it explicitly disabled > at the moment? Why do you call for GnuTLS support for cupsys in > #167489? What is the official debian-legal position on this because > I'm really, really confused now... Debian-legal helped hash out the CUPS license text, so the official answer from the d-l POV is that it's legal to link OpenSSL to CUPS. However, this does not say anything about third-party GPLed software. As I understand it, Debian considers the OpenSSL and GPL licenses incompatible, despite the rather optimistic statement from the OpenSSL people. Specifically, check out the clause in the OpenSSL license that specifically mentions the GPL, as well as the old-BSD-style advertising clause. As an interesting side note, although the cupsys packages can be built against OpenSSL, they are pretty much useless without the gs-esp package, which provides the PostScript RIP used for non-PostScript printers. The gs-esp package is ESP's small fork of GNU GhostScript, which is under the traditional GPL and must link against CUPS to be useful. It's therefore my opinion that any distribution shipping a useful CUPS linked against OpenSSL is in a potentially interesting legal state. ESP has attempted to adjust to this situation, but I haven't been keeping up in their efforts to know if they've succeeded or not, so distributions shipping CUPS 1.1.15 or later and ESP GhostScript 7.05.5 or later might be OK. I'd rather not get into yet another OpenSSL license discussion, so I'll advise you to search the debian-legal archives for the last few months for more information.
