Hello Unit, After looking into testssl.sh again, I noticed on the release page[0] it > states > that 2.9.5 won't be supported once 3.0 lands, and encourages distributors > to > pick up 3.0rc5. I did some packaging work[1] to import the new version, > refresh > patches, and other minor things and it'd be cool if you could pull the > changes. > > This version is specifically interesting as it has support for TLS 1.3. >
I really appreciate your work, but version 3.0 of testssl has a licensing issue that needs to be resolved before packaging it for Debian: upstream decided to add a clause to their GPL license stating that any public use of it must mention where they've got the program from. I'm worried as to how this relates to the DFSG, more specifically: https://github.com/drwetter/testssl.sh/blob/3b89dc6b0a41299fbf462789998e4c103f4f0210/testssl.sh#L19-L22 I *think* this is ok (didn't thought enough about it) but I feel like a discussion on debian-legal would be better and I don't feel confident uploading this without it. Did you notice that as well? What are you thoughts on it? On a sidenote, if I remember correctly, testsssl suffers from the same issue as o-saft, another ssl vuln detector, as it needs to have an old version of openssl to check for legacy stuff, otherwise it won't support them. Regards, -- Samuel Henrique <samueloph>
