CUPS is now linked against OpenSSL

Daniel Kahn Gillmor dkg at
Tue Jan 14 04:03:04 UTC 2014

On 01/13/2014 11:38 AM, Didier 'OdyX' Raboud wrote:

> That would be quite a bold move to take. The one aspect that puzzles me 
> most is: in which ways "no TLS security" is better than "incompletely 
> secure TLS"? 

if the only axis we're measuring along is cryptographic security, then
protecting against passive attackers (eavesdroppers) is clearly better
than not doing so.

but if people think that CUPS' TLS protects them against active
attackers, and they use that to do things like send confidential
information over the link, they have been lulled into a false sense of

And: cryptographic security is not the only axis we should be measuring
on.  The other axis is difficulty of license compliance, and CUPS
licensing is currently in a state that i would consider it difficult to
ship effectively with any sort of well-maintained cryptographic support
and remain in compliance with all the relevant licenses.

Does this make CUPS less useful than it used to be?  Is this a
regression?  yes, and yes.  That's why we should try to get one project
(either CUPS or GMP) to change their licensing to fix the issue rather
than trying to get dozens of projects to change their licensing.

Alternately, does anyone know anyone from the polarssl community who we
could cajole into patching that TLS implementation into CUPS?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Pkg-gnutls-maint mailing list