[Pkg-openldap-devel] Bug#725153: Bug#725153: migrate to libnss3

Steve Langasek vorlon at debian.org
Mon Oct 7 03:36:01 UTC 2013 

On Wed, Oct 02, 2013 at 08:36:23AM +0300, Timo Aaltonen wrote:
> Package: openldap
> Version: 2.4.31-1+nmu2
> Severity: wishlist

>   I'd like to migrate openldap to build against the NSS libs, in order
> to support features on 389ds where it is acting as an SSL client
> (replication etc) and expects NSS. 389 depends on libldap, but when it's
> built against gnutls things break.

> Licensing-wise it's not an issue, since NSS is dual-licensed
> MPL-1.1/LGPL-2.1 so they're compatible.

Right; if this were LGPL-3 it would be a problem, but LGPL-2.1 keeps us
compatible with all reverse-dependencies.

Upstream has recently commented about NSS being worse than gnutls. 
Considering upstream has also expressed dissatisfaction with gnutls itself,
I wonder how bad NSS is to warrant such a reaction.  Are you aware of any
compatibility problems with *other* packages, when using libldap built
against NSS?

I have thought about switching us over to using NSS, because it seems that
it would solve the various stupid gnutls/gcrypt library initialization bugs,
which are otherwise only solvable with gnutls by upgrading to a version that
uses nettle in place of gcrypt - and that in turn brings other license
compatibility problems.

I've also considered whether we should do two separate builds of libldap,
one for internal consumption by slapd (probably statically linking) and
using OpenSSL, and one for use by third-party packages and using a
license-compatible TLS implementation... whether that's gnutls, or NSS.  If
NSS is a suitable implementation to use for libldap generally (even if not
for slapd), that would seem to be the best option to solve both the 389ds
bug and get us away from a stale version of gnutls.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20131006/67a0a0e6/attachment.sig>

More information about the Pkg-openldap-devel mailing list