Bug#748535: transition: gnutls28

Andreas Metzler ametzler at bebt.de
Sun May 18 06:52:53 UTC 2014

Package: release.debian.org
Severity: normal
User: release.debian.org at packages.debian.org
Usertags: transition


I would like to ship jessie without GnuTLS 2.x (gnutls26) as it is
dead upstream and _old_. The last upstream release was in February
2013, marking the end of a multi-year series of bugfix-only releases.

Transitioning to GnuTLS 3.x is possible nowadays because GMP has
switched to LGPLv3+/GPLv2+.

Relevant bugs (as reported so far) are usertagged

The newer gnutls version is mostly API compatible, only a handful
(less than 5) packages showed build-breakage due to removed functions
in my test. (Sadly openldap is one of the candidates (ITS#7430 aka

Almost all breakage is due to gnutls switching from gcrypt to nettle,
breaking the assumption the -lgcrypt works if -lgnutls does. While
there is a obvious solution to this problem (Package: libgnutls-dev /
Depends: libgnutls28-dev, libgcrypt20-dev | libgcrypt11-dev) it is
probably not the right one to actually ship.

Most of this gcrypt usage superfluous, only adapting gcrypt behavior
on the assumption that it is used by gnutls. Of the rest, a big part
is only using and handful of gcrypt functions (typicall md5 or sha1)
and would do well with doing this with the GnuTLS crypto API instead
of adding another dependency.

I am not sure how to go about this I am looking at packages one at a
time. Perhaps it would be better to do a big move like this:
#1 Let libgnutls-dev depend on libgnutls28-dev, libgcrypt20-dev |
#2 Rebuild everything, transition to testing.
#3 Get rid of unnecessary gcrypt usage one at a time, add
   libgcrypt20-dev dependency where really necessary
#4 Drop libgnutls-dev's dependency on gcrypt.

While this looks good, I expect there will be some
#2a Some packages break, they build successfully but break at runtime

cu Andreas

Ben file:

title = "gnutls28";
is_affected = .depends ~ "libgnutls26" | .depends ~ "libgnutls-dev" | .depends ~ "libgnutlsxx27" | .depends ~ "libgnutls28" | .depends ~ "libgnutls28-dev" | .depends ~ "libgnutlsxx28";
is_good = .depends ~ "libgnutls28" | .depends ~ "libgnutls28-dev" | .depends ~ "libgnutlsxx28";
is_bad = .depends ~ "libgnutls26" | .depends ~ "libgnutls-dev" | .depends ~ "libgnutlsxx27";

`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20140518/f40dec82/attachment.sig>

More information about the Pkg-gnutls-maint mailing list