|
Home > Archive > Debian Developers > October 2005 > curl status update
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
curl status update
|
|
| Domenico Andreoli 2005-09-29, 6:01 pm |
| hi all,
i've just uploaded curl 7.14.1-3 to experimental, it should put curl
back in a good state. i also uploaded pycurl built using curl+gnutls.
to build something with libcurl, one has to install either
libcurl3-openssl-dev or libcurl3-gnutls-dev. the built package will
depend on libcurl3 (with openssl) or libcurl3-gnutls respectively.
both libcurl3 and libcurl3-gnutls packages may finally be installed
at the same time. libcurl's rdepends packagers are now really free to
choose whatever flavour of libcurl they wish.
somebody will encourage the use of GnuTLS variant, others will stay
with the OpenSSL one. now it is only a matter of taste, licensing or
whatever else IMHO i don't even need to know. both upstream and users
are now able to make their choices without me limiting them in any way.
i'm sorry to have spent more than ~1.5 months before coming to a decent
solution, i've been really too busy to study some of the new things
i had to understand and to freshly think at what i wanted to do with
them and the package.
i wish to thank Elimar Riesebieter, Daniel Stenberg, Marco d'Itri,
Paul TBBle Hampson, Richard Atterer, Steve Langasek, Adeodato Simó,
Henrique de Moraes Holschuh, Thomas Bushnell, Otavio Salvador, Matthias
Urlichs, Olaf van der Spek, Henning Makholm and all the others i sadly
forgot to mention. all of them someway helped me to find a hopefully
nice solution.
the testing season is then opened. if no grave bugs will be discovered
i'd upload -4 to unstable in a week or two. let me know.
cheers
domenico
-----[ Domenico Andreoli, aka cavok
--[ http://people.debian.org/~cavok/gpgkey.asc
---[ 3A0F 2F80 F79C 678A 8936 4FEE 0677 9033 A20E BC50
| |
| Marco d'Itri 2005-09-29, 6:01 pm |
| On Sep 29, Domenico Andreoli <cavok@debian.org> wrote:
> to build something with libcurl, one has to install either
> libcurl3-openssl-dev or libcurl3-gnutls-dev. the built package will
> depend on libcurl3 (with openssl) or libcurl3-gnutls respectively.
Why is openssl the default?
I think everybody agrees that in the long period everybody will want to
use gnutls, which is supposed to have the same features but does not
have licensing issues.
--
ciao,
Marco
| |
| Wouter Verhelst 2005-09-29, 6:01 pm |
| On Thu, Sep 29, 2005 at 02:37:35PM +0200, Marco d'Itri wrote:
> On Sep 29, Domenico Andreoli <cavok@debian.org> wrote:
>
> Why is openssl the default?
> I think everybody agrees that in the long period everybody will want to
> use gnutls, which is supposed to have the same features but does not
> have licensing issues.
That's actually not true, GnuTLS has the reverse licensing issues from
OpenSSL. OpenSSL cannot be linked with GPL-licensed software; GnuTLS,
OTOH, is licensed under the GPL (as opposed to the LGPL), so cannot be
linked to applications that do not want to be distributed under the
terms of the GPL (or applications that have a GPL-incompatible license,
for that matter).
--
The amount of time between slipping on the peel and landing on the
pavement is precisely one bananosecond
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Domenico Andreoli 2005-09-29, 6:01 pm |
| On Thu, Sep 29, 2005 at 02:37:35PM +0200, Marco d'Itri wrote:
> On Sep 29, Domenico Andreoli <cavok@debian.org> wrote:
>
[vbcol=seagreen]
> Why is openssl the default?
default? one has to install libcurl3-gnutls-dev or libcurl3-openssl-dev
in order to build something with libcurl, there is no default choice for
the developer. nobody can now hide behind a "i didn't know libcurl3-dev
brings openssl in my pants".
about libcurl3 being linked with openssl instead of gnutls, i'm
not personally biased. i only wanted to stay on the safe side [0].
if libcurl4 comes, i will surely point it to gnutls.
ciao
domenico
[0] http://lists.debian.org/debian-deve...9/msg00079.html
-----[ Domenico Andreoli, aka cavok
--[ http://people.debian.org/~cavok/gpgkey.asc
---[ 3A0F 2F80 F79C 678A 8936 4FEE 0677 9033 A20E BC50
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Domenico Andreoli 2005-09-29, 6:01 pm |
| On Thu, Sep 29, 2005 at 02:31:00PM +0200, Wouter Verhelst wrote:
> On Thu, Sep 29, 2005 at 02:37:35PM +0200, Marco d'Itri wrote:
>
> That's actually not true, GnuTLS has the reverse licensing issues from
> OpenSSL. OpenSSL cannot be linked with GPL-licensed software; GnuTLS,
> OTOH, is licensed under the GPL (as opposed to the LGPL), so cannot be
> linked to applications that do not want to be distributed under the
> terms of the GPL (or applications that have a GPL-incompatible license,
> for that matter).
you are wrong, gnutls is licensed under LGPL. have a read at
http://www.gnu.org/software/gnutls/.
cu
dom
-----[ Domenico Andreoli, aka cavok
--[ http://people.debian.org/~cavok/gpgkey.asc
---[ 3A0F 2F80 F79C 678A 8936 4FEE 0677 9033 A20E BC50
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Ian Campbell 2005-09-29, 6:01 pm |
| On Thu, 2005-09-29 at 14:31 +0200, Wouter Verhelst wrote:
> On Thu, Sep 29, 2005 at 02:37:35PM +0200, Marco d'Itri wrote:
>
[snip]
> GnuTLS, OTOH, is licensed under the GPL (as opposed to the LGPL)
[snip]
Are you sure? http://www.gnu.org/software/gnutls/ says the core library
is LGPL. Maybe just the tools are GPL?
Ian.
--
Ian Campbell
Current Noise: Slayer - Hallowed Point
I respect the institution of marriage. I have always thought that every
woman should marry -- and no man.
-- Benjamin Disraeli, "Lothair"
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Wouter Verhelst 2005-09-29, 6:01 pm |
| On Thu, Sep 29, 2005 at 02:03:26PM +0100, Ian Campbell wrote:
> On Thu, 2005-09-29 at 14:31 +0200, Wouter Verhelst wrote:
> [snip]
> [snip]
>
> Are you sure? http://www.gnu.org/software/gnutls/ says the core library
> is LGPL. Maybe just the tools are GPL?
Oh? I thought it was. Sorry; I'll check my facts next time.
--
The amount of time between slipping on the peel and landing on the
pavement is precisely one bananosecond
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Richard Atterer 2005-09-29, 6:01 pm |
| On Thu, Sep 29, 2005 at 02:37:35PM +0200, Marco d'Itri wrote:
> Why is openssl the default?
> I think everybody agrees that in the long period everybody will want to
> use gnutls,
No, as has been shown by the discussions in the last weeks, there is *no*
agreement on which SSL library should be the default.
Cheers,
Richard
--
__ _
|_) /| Richard Atterer | GnuPG key:
| \/¯| http://atterer.net | 0x888354F7
¯ '` ¯
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Moritz Muehlenhoff 2005-09-29, 6:01 pm |
| In linux.debian.devel, you wrote:
> That's actually not true, GnuTLS has the reverse licensing issues from
> OpenSSL. OpenSSL cannot be linked with GPL-licensed software; GnuTLS,
> OTOH, is licensed under the GPL (as opposed to the LGPL),
Only some extra features not present in OpenSSL (like SRP auth) are
licensed under the GPL, the rest of the code is LGPLed.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Steve Langasek 2005-09-29, 6:01 pm |
| On Thu, Sep 29, 2005 at 03:24:27PM +0200, Wouter Verhelst wrote:
> On Thu, Sep 29, 2005 at 02:03:26PM +0100, Ian Campbell wrote:
[vbcol=seagreen]
[vbcol=seagreen]
[vbcol=seagreen]
[vbcol=seagreen]
> Oh? I thought it was. Sorry; I'll check my facts next time.
The gnutls-extras library (which is the one that provides minimal
API-compatibility with OpenSSL) is GPL; the core library is LGPL.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
| |
| Steve Langasek 2005-09-29, 6:01 pm |
| On Thu, Sep 29, 2005 at 03:27:30PM +0200, Richard Atterer wrote:
> On Thu, Sep 29, 2005 at 02:37:35PM +0200, Marco d'Itri wrote:
[vbcol=seagreen]
> No, as has been shown by the discussions in the last weeks, there is *no*
> agreement on which SSL library should be the default.
There isn't? I saw some arguments that explain why it's not possible to
convert all curl-using applications from OpenSSL to GNUTLS without a
recompile due to unavailable ABI changes, but I thought it was pretty clear
that the default going forward should be the one whose license is maximally
compatible with that of applications using libcurl (i.e., GNUTLS).
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
| |
| Marco d'Itri 2005-09-29, 8:49 pm |
| On Sep 30, Steve Langasek <vorlon@debian.org> wrote:
> There isn't? I saw some arguments that explain why it's not possible to
> convert all curl-using applications from OpenSSL to GNUTLS without a
> recompile due to unavailable ABI changes, but I thought it was pretty clear
> that the default going forward should be the one whose license is maximally
> compatible with that of applications using libcurl (i.e., GNUTLS).
My point too.
--
ciao,
Marco
| |
| Richard Atterer 2005-09-30, 5:57 pm |
| On Thu, Sep 29, 2005 at 03:19:18PM -0700, Steve Langasek wrote:
> On Thu, Sep 29, 2005 at 03:27:30PM +0200, Richard Atterer wrote:
>
>
> There isn't? I saw some arguments that explain why it's not possible to
> convert all curl-using applications from OpenSSL to GNUTLS without a
> recompile due to unavailable ABI changes, but I thought it was pretty clear
> that the default going forward should be the one whose license is maximally
> compatible with that of applications using libcurl (i.e., GNUTLS).
Yes - I should clarify what I said: _In_the_long_run_ the agreed goal was
to move to GnuTLS. However, above Marco asked why the _current_ default
isn't GnuTLS. I'm not so sure whether it should be: Upstream's choice will
remain OpenSSL for the foreseeable future, GnuTLS is allegedly still
slightly more buggy than OpenSSL (does anyone have any details?) and is
lacking some features.
Cheers,
Richard
--
__ _
|_) /| Richard Atterer | GnuPG key:
| \/¯| http://atterer.net | 0x888354F7
¯ '` ¯
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Marco d'Itri 2005-09-30, 8:48 pm |
| On Sep 30, Richard Atterer <richard@2005.atterer.net> wrote:
> remain OpenSSL for the foreseeable future, GnuTLS is allegedly still
> slightly more buggy than OpenSSL (does anyone have any details?) and is
> lacking some features.
If you had taken some time to investigate these claims you would have
discovered that they are either false or totally irrelevant for almost
every application.
--
ciao,
Marco
| |
| Elimar Riesebieter 2005-10-01, 5:54 pm |
| On Thu, 29 Sep 2005 the mental interface of
Steve Langasek told:
[...]
> There isn't? I saw some arguments that explain why it's not possible to
> convert all curl-using applications from OpenSSL to GNUTLS without a
> recompile due to unavailable ABI changes, but I thought it was pretty clear
> that the default going forward should be the one whose license is maximally
> compatible with that of applications using libcurl (i.e., GNUTLS).
libcurl3-gnutls-dev 7.14.1-3 works well ;-) The only challange we
have to solve is:
Which curl deps have to be the default?
IMHO the gnutls one.
Elimar
--
>what IMHO then?
IMHO - Inhalation of a Multi-leafed Herbal Opiate ;)
--posting from alex in debian-user--
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Paul TBBle Hampson 2005-10-01, 5:54 pm |
| On Sat, Oct 01, 2005 at 02:43:32PM +0200, Elimar Riesebieter wrote:
> On Thu, 29 Sep 2005 the mental interface of
> Steve Langasek told:
> [...]
> libcurl3-gnutls-dev 7.14.1-3 works well ;-) The only challange we
> have to solve is:
> Which curl deps have to be the default?
> IMHO the gnutls one.
What do you mean by default?
a) The -dev to use if you don't use the OpenSSL callback, and you're not
GPL, modulo relevant bugs?
I think this was pretty clearly gnuTLS. Is _anyone_ suggesting
OpenSSL for this?
b) The version that should be in libcurl3?
Has to be OpenSSL, to not break Sarge upgrades. And this will be
true for the life of the package, unless we manage to get every
package in Etch to not use it, at which point post-etch can do
whatever. Including removing it in favour of libcurl4. ^_^
--
-----------------------------------------------------------
Paul "TBBle" Hampson, MCSE
8th year CompSci/Asian Studies student, ANU
The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361)
Paul.Hampson@Anu.edu.au
"No survivors? Then where do the stories come from I wonder?"
-- Capt. Jack Sparrow, "Pirates of the Caribbean"
License: http://creativecommons.org/licenses/by/2.1/au/
-----------------------------------------------------------
| |
| Elimar Riesebieter 2005-10-01, 5:54 pm |
| On Sun, 02 Oct 2005 the mental interface of
Paul TBBle Hampson told:
> On Sat, Oct 01, 2005 at 02:43:32PM +0200, Elimar Riesebieter wrote:
>
>
> What do you mean by default?
libcurl has to point to gnutls by default!
Elimar
--
We all know Linux is great... it does infinite loops in 5 seconds.
-- Linus Torvalds
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
| |
| Josh Metzler 2005-10-01, 8:48 pm |
| On Saturday 01 October 2005 02:49 pm, Elimar Riesebieter wrote:
> On Sun, 02 Oct 2005 the mental interface of
>
> Paul TBBle Hampson told:
>
> libcurl has to point to gnutls by default!
Look, once the new packages hit unstable, everyone building against libcurl
will need to choose libcurl-openssl-dev or libcurl-gnutls-dev to build
against. If they build against the former, the binary packages will depend
on the openssl libcurl, if the latter, they will depend on the gnutls
libcurl. The openssl libcurl is still called libcurl3 so that packages
that *already built* against the openssl libcurl won't be broken.
For new package builds, there will be no "default" libcurl.
Josh
--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|
|
|
|
|