Choice of TLS library for Debian OpenLDAP package

John Scott jscott at posteo.net
Mon Apr 17 20:33:41 BST 2023


Hi,

In previous bug reports and discussions with Ryan Tandy, I thought one of the anticipated changes in the packaging was that we'd we switching from GnuTLS to OpenSSL since OpenSSL isn't plagued by license problems anymore and OpenSSL is allegedly what upstream better supports. However, even the experimental packages still use GnuTLS. How come?

The reason I ask is because I just asked upstream (without a patch) to consider incorporating DANE support, and if nobody is maintaining the GnuTLS code, Debian will never get to benefit from it, even though our very own Debian LDAP server has DANE enabled right now:

$ dig -t TLSA _389._tcp.db.debian.org

; <<>> DiG 9.18.12-1-Debian <<>> -t TLSA _389._tcp.db.debian.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12273
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; ANSWER SECTION:
_389._tcp.db.debian.org. 600 IN	TLSA 3 1 1 (
				EC9AA29C3F7ADD3238EF0E73D41AB13E028BD8997593
				31EF7047EB9A6BDDE703 )

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-openldap-devel/attachments/20230417/ec698566/attachment.sig>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5880 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-openldap-devel/attachments/20230417/ec698566/attachment.bin>


More information about the Pkg-openldap-devel mailing list