[Pkg-openldap-devel] Bug#725153: Bug#725153: openldap, nss, and gnutls
Ryan Tandy
ryan at nardis.ca
Wed May 20 17:43:23 UTC 2015
Hi dkg,
On Wed, May 20, 2015 at 12:58:08PM -0400, Daniel Kahn Gillmor wrote:
>https://bugs.debian.org/725153 suggests moving openldap's TLS backend in
>debian from gnutls to nss.
>
>The reasons given appear to be the older gnutls/gcrypt suid problem
>(which is quite a serious concern, particularly for libpam_ldap), and
>that newer gnutls/nettle introduces some licensing issues.
My understanding was that motivation for the request was wanting to
provide a fully-featured freeipa server in Debian, while some of its
features (specifically replication) only work properly when using
libldap built with nss.
>The licensing issues have been resolved by nettle relicensing to LGPL 3+
>or GPL 2+, effective in nettle 3.0:
>
> http://mid.gmane.org/nnd2el5d8h.fsf@bacon.lysator.liu.se
Since 2.4.40-1 (in jessie) we already build with gnutls28 and nettle,
based on libgmp having changed its license (#745231), but jessie only
has nettle 2.7. I hope I didn't introduce a licensing problem by doing
that? IIUC we take gmp as GPLv2+, nettle as LGPLv2.1+, and gnutls as
LGPLv2.1+, so the combination should be compatible with GPLv2+.
>If the work to switch openldap to NSS is strictly because of licensing
>concerns that have been resolved since the bug was opened, please
>reconsider the switch.
I don't think anyone intends to switch the default libldap or slapd to
nss. I personally would argue against causing that kind of upgrade pain.
There's still a possibility of providing an alternate libldap built with
nss, but that would take some work, and it sounds like freeipa upstream
are moving away from needing it anyway. So this bug will probably just
go away eventually.
hope that helps,
Ryan
More information about the Pkg-openldap-devel
mailing list