Alexander Traud <pabstr...@compuserve.com> writes: > Debian is very much OpenSSL. However, I see some packages default to > GnuTLS or even NSS without providing OpenSSL, although their source > project supports it.
Historically, use of GnuTLS was mostly because of licensing restrictions because OpenSSL was incompatible with GPL-licensed code. Now, OpenSSL is compatible with GPL v3 and Debian has (with some controversy) adopted a policy of treating it like a system library even for GPL v2 code, so at least some of the GnuTLS usage has switched to OpenSSL. > Question(s): Is there a recommendation/guideline/policy that package > maintainers should prefer a specific crypto library (OpenSSL?) if they > cannot support all of them? If not, is there an argumentation aid to > convince package maintainers. I don't believe there is a policy. In practice, I believe OpenSSL tends to be more interoperable and better-tested upstream than GnuTLS. There have been long-standing problems with GnuTLS not handling weird corner cases or bugs in other libraries. Some of these do get fixed over time, but that's still my general impression. Also, if a software package was written to use OpenSSL, the OpenSSL compatibility layer in GnuTLS is very limited (I say this as someone who tried to use it for a package for several years) and tends to cause a lot of problems. NSS probably doesn't have the same interoperability problems. I personally have no opinions about using it. (Didn't Red Hat attempt to standardize on NSS a while back? I feel like that didn't work and they stopped that effort, but some quick searching didn't uncover any support for that belief.) -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>