On Thu, Feb 07, 2008 at 01:01:09PM -0800, Linus Torvalds wrote: > > FWIW, this is not about OpenSSL for SHA1; it is about the underlying > > library used by curl to do SSL (gnutls vs openssl). > > My comment was about claiming "not distributable". That was simply not > true. It's perfectly distributable, it's just Debian that has issues with > OpenSSL (but then they shouldn't link it against curl either, so there > seems to be some _other_ problem there too). And I happen to agree with you, but... > > And the problem is that curl linked against gnutls seems _broken_, so > > Anand has asked if Debian can ship a binary git linked against a curl > > that is linked against openssl (and the answer is probably "no, Debian > > people think that is wrong"). > > Sure. And you can probably fix it by using NO_OPENSSL, which uses the > Mozilla SHA1 library. As I also pointed out. what I was saying before is that NO_OPENSSL _doesn't_ fix the problem, because this has nothing whatsoever to do with the mozilla sha1 library or any decision that git can make. Debian provides two versions of curl, one that uses openssl and one that uses gnutls. The question of which is used depends on which Debian package you happen to have installed. So it is not a git matter at all, but rather a matter of Debian policy about which version of curl is used when building the official binary packages. > In short - I just wanted to make sure that we do not make the insane > Debian policies somehow official git ones. Agreed. There is no fallout from this issue for git; it is purely a Debian build process issue. -Peff - To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html