+1 We'll never fully know if this is a real deal-breaker for anyone until we try, so I suggest just bumping the requirement in a soonish GnuTLS release, and then wait for people to package it, and only later start to remove the duplicate code that is no longer needed.
/Simon Daiki Ueno <[email protected]> writes: > Hello, > > Provoked by this issue[1], I started thinking about updating the minimum > version of Nettle required by GnuTLS. Currently it's 3.6, while 3.10 > was released 1.5 years ago. By updating it, we can eliminate the > bundled copies of RSA-OAEP, AES-GCM-SIV, and SHAKE implementations, as > well as the CVE-2021-4209 fix. Given Nettle 3.10.2 is ABI compatible > with 3.6, I'm assuming that there is little impact to downstreams. > > Any thoughts? > > Footnotes: > [1] https://gitlab.com/gnutls/gnutls/-/issues/1759
signature.asc
Description: PGP signature
_______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
