GnuTLS in Debian

Shawn Wilson at
Mon Dec 23 01:16:05 UTC 2013

My gut reaction was that #5 or #6 are the best option (leaning to #6). However I guess I don't understand what making something a system library effects the license?

Andreas Metzler <ametzler at> wrote:
>Debian ist still relying heavily on GnuTLS 2.12.x, and I do not think
>this is sustainable for much longer.
>State of Play:
>In July 2011 with version 3.0 [1] GnuTLS switched to Nettle as only
>supported crypto backend. Nettle requires GMP.
>GnuTLS and Nettle are available under LGPLv2.1+.  GMP used to be
>licensed LGPLv2.1+ ages ago but upgraded to LGPLv3+ in version 4.2.2
>(released September 2007).
>Therefore GnuTLS 3.x cannot be used by GPLv2 (without "or later"
>clause) software which is the main reason most of Debian is still
>using GnuTLS 2.x.
>GnuTLS 2.12.x is dated. It is upstream's old-old-old stable release
>(followed by 3.[012].x). The latest bugfix release happened in
>February 2012, later security fixes have not been solved by releases
>by patches in GIT. GnuTLS 2.12.x does not work with the recently
>gcrypt 1.6.0. Therefore we will need keep another old library version
>around. (I doubt that GnuTLS upstream will port GnuTLS 2.12.x to newer
>How to continue from here/solve this:
>#1 Fork LGPLv2.1+ GMP (version 4.2.1) for Debian.
>#2 Fork GnuTLS 2 for Debian.
>#3 Hope that GMP is relicensed to GPL2+/LGPLv3+
>#4 Hop nettle switches to a different arbitrary precision arithmetic 
>#5 Declare GMP to be a system library.
>#6 Move to GnuTLS3, drop GnuTLS2. Packages which cannot use GnuTLS3
>for license reasons will need to drop TLS support or be relicensed or
>be ported to a different TLS library.
>Personal comments:
>I do not think #1 and #2 are realistic given Debian's manpower issues.
>#1 would stop working at all if nettle required newer GMP features. (I
>have not checked whether this is already the case.)
>I have given up on #3 and do not think it will happen. GMP upstream has
>been made aware of the issue in 2011 [2] and has not shown any
>intention of
>a license change.
>#4 is just here for completeness sake.
>#5 was how Fedora looked at the OpenSSL library issue. Since Debian
>has another viewpoint on OpenSSL I somehow doubt we would use it for
>Fedora is discussing the issue in
><>. There is
>automatically generated depency tree with the problematic packages
>highlighted crosslinked in the bugreport[3]. Debian does not have the
>infrastructure to do something similar, but I guess gnutls usage is
>more widespread.
>Afaict it boils down to #6. But perhaps I have missed something
>obvious. Comments welcome.
>cu Andreas
>[1] Version 2.11.1 (released 2010-09-14) used nettle as
>/prefered/ crypto backend, however gcrypt was still supported as
>`What a good friend you are to him, Dr. Maturin. His other friends are
>so grateful to you.'
>`I sew his ears on from time to time, sure'
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Pkg-gnutls-maint mailing list