Bug#1065007: pycurl: Please reconsider SSL choice (OpenSSL instead of GnuTLS)
Hello Boyuan and Scott, > I was made aware of issues encountered by multiple users due to pycurl using > GnuTLS instead of OpenSSL. Reviewing https://bugs.debian.org/515200 , it > looks like the > only reason of not using OpenSSL is the old OpenSSL licensing issue in the > past. That bug is 15 years old and you did not mention any details about the issues that you're having. Effectively there is no documented reason to switch to openssl on this bug. Scott, I see that you went ahead and switched to openssl anyway: > I don't have any objections to rebuilding pycurl with openssl. We are close to enabling support to http3 for the gnutls libcurl, so this switch kills any possibility of pycurl supporting http3, at least until openssl gets proper http3 support (might not happen for the next stable release). On the curl side, we are considering switching the default backend used by curl (the cli) for the gnutls one, so we can enable http3. Boyuan, can you provide any details on the issues you found? Otherwise I would recommend staying with gnutls for now and so pycurl will soon make use of a http3-enabled libcurl. Cheers, -- Samuel Henrique
Bug#1065007: pycurl: Please reconsider SSL choice (OpenSSL instead of GnuTLS)
On Wed, 28 Feb 2024, Boyuan Yang wrote: Source: pycurl Version: 7.45.2-7 Severity: normal X-Debbugs-CC: s...@techie.net Dear Debian pycurl maintainer, I was made aware of issues encountered by multiple users due to pycurl using GnuTLS instead of OpenSSL. Reviewing https://bugs.debian.org/515200 , it looks like the only reason of not using OpenSSL is the old OpenSSL licensing issue in the past. With OpenSSL 3.0 and later, linking against OpenSSL is obviously no longer problematic due to license switching to Apache-2.0. As a result, I am once again requesting using OpenSSL for SSL implementation for pycurl or at least adding an option for users to select. Currently I believe several options exist: 1) Switch the default package python3-pycurl to use OpenSSL. 2) Add a new binary package python3-pycurl-openssl, which is linked to OpenSSL. 3) Add binary packages python3-pycurl-openssl and python3-pycurl-gnutls, and let python3-pycurl to be an empty dependency package that may default to a certain implementation of your choice. In any case, the binary packages providing the same files and the same functionalities shall mutually conflict with each other. If you need patches for any of the choices, please let me know. Please also let me know if you have any comments. If needed, I can make package uploads via Team upload. Thanks! Thanks for CC'ing me on the bug report. I don't have any objections to rebuilding pycurl with openssl. I don't see a lot of value in having the added complexity of building both versions, so I'm fine with just switching to openssl. I'm in the middle of a new upstream release right now, but I'll plan to switch it after that. Scott
Bug#1065007: pycurl: Please reconsider SSL choice (OpenSSL instead of GnuTLS)
Source: pycurl Version: 7.45.2-7 Severity: normal X-Debbugs-CC: s...@techie.net Dear Debian pycurl maintainer, I was made aware of issues encountered by multiple users due to pycurl using GnuTLS instead of OpenSSL. Reviewing https://bugs.debian.org/515200 , it looks like the only reason of not using OpenSSL is the old OpenSSL licensing issue in the past. With OpenSSL 3.0 and later, linking against OpenSSL is obviously no longer problematic due to license switching to Apache-2.0. As a result, I am once again requesting using OpenSSL for SSL implementation for pycurl or at least adding an option for users to select. Currently I believe several options exist: 1) Switch the default package python3-pycurl to use OpenSSL. 2) Add a new binary package python3-pycurl-openssl, which is linked to OpenSSL. 3) Add binary packages python3-pycurl-openssl and python3-pycurl-gnutls, and let python3-pycurl to be an empty dependency package that may default to a certain implementation of your choice. In any case, the binary packages providing the same files and the same functionalities shall mutually conflict with each other. If you need patches for any of the choices, please let me know. Please also let me know if you have any comments. If needed, I can make package uploads via Team upload. Thanks! Best, Boyuan Yang signature.asc Description: This is a digitally signed message part
