Hi, On 08/01/2011 09:44 PM, Ryan Rix wrote: > On Mon 1 August 2011 19:43:37 Tomas Mraz wrote: >> On Mon, 2011-08-01 at 10:29 -0700, Ryan Rix wrote: >>> On Mon 1 August 2011 11:46:00 Jussi Lehtola wrote: >>>> Hi, >>>> >>>> >>>> I've just orphaned PokerTH, since I'm trying to free myself some >>>> time >>>> and I don't use it myself. >>>> >>>> PokerTH does not currently build on rawhide, since OpenSSL support >>>> has >>>> been dropped from GnuTLS a week ago (BZ #726697). Getting it to >>>> build >>>> again would then require building against OpenSSL (and asking >>>> upstream >>>> for a GPL license exception), or shipping a private copy of GnuTLS. >>> >>> I picked up rawhide through F-14. If I cant get this building, I'll >>> orphan it again in a week's time. >> >> Shipping a private copy of GnuTLS would have to get an exception I do >> not think such exception should/would be granted. I can only recommend >> you to look at the NSS OpenSSL compatibility support library and >> patching PokerTH to use it instead of the GnuTLS. > > I've talked to a few people about this now, including some folks at PokerTH > about it, and they're confused as to why this change is happening in GnuTLS at > all, and your comment in the bug report did not seem to explain it to them; > could you (or anyone) explain better why OpenSSL support in gnutls is a Bad > Thing? Ryan, have you read the initial description of: https://bugzilla.redhat.com/show_bug.cgi?id=460310 ? The problem is that gnutls's openssl compatibility uses the same symbol names as openssl itself thus polluting the dynamic linker symbol namespace. So if an application uses a library which is linked against openssl (for example ldap libs through pam) and uses gnutls-openssl then the ldap libraries will end up calling functions inside gnutls-openssl rather then inside openssl, since the gnutls-openssl symbols are already present in the dynamic linkers symbol namespace. This then goes boom big time, since the 2 are not ABI compatible. Since gnutls-openssl is not ABI compatible it should not be using the same function / variable names. Tomas has chosen to fix this problem by simply disabling the openssl compat part of gnutls (which as the above bug shows is broken by design) given that only 3 apps use this, this seems like a sane choice to me. The best way forward is probably to ask PokerTH upstream to add the standard openssl license exception boilerplate to their license, I did so successfully with gkrellm and switched to simply using the real openssl. Regards, Hans -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
