Re: libgit2 switch from mbedTLS to OpenSSL
On Thu, Jun 30, 2022 at 04:48:43AM -0700, Simon Chopin wrote: > Quoting Heinrich Schuchardt (2022-06-29 12:56:57) > > On 6/29/22 10:33, Simon Chopin wrote: > > > As part of our efforts to support the Rust toolchain in main, we need to > > > have libgit2 in main (dependency of cargo). However, it currently links > > > against mbedTLS for its HTTPS backend rather than OpenSSL, for licensing > > > reasons IIUC. Those reasons would now be invalid with the new OpenSSL > > > 3.0 licensing. > > > I'd like to switch it back to OpenSSL to avoid pulling yet another TLS > > > implementation in main, however I'm a bit fuzzy whether this would > > > constitute a breaking change for the libgit2 package. The libgit2 > > > library does not expose anything from its crypto implem as part of its > > > API, nor does it re-export any of their symbols (assuming I understand > > > the output of readelf -s correctly). > > > Could someone confirm that this does not represent a breaking change? > > Libgit2 is licensed under GPLv2 which is incompatible with the Apache v2 > > license of OpenSSL 3.0 (see > > https://www.gnu.org/licenses/license-list.html.en). > > But a "Linking Exception" is present in the COPYRIGHT file of libgit2. > > Please, recheck if that exception is enough for your use case. > Looking closer at the linking exception, I think we're good since it is > rather broad. In addition, please see https://lists.ubuntu.com/archives/technical-board/2021-October/002587.html where I lay out a different case for why GPLv2 code linking to OpenSSL 3 (and Apache 2.0-licensed code in general) in Ubuntu is acceptable. We are not blocking GPLv2 packages from linking to libssl3 in Ubuntu. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. Ubuntu Developer https://www.debian.org/ slanga...@ubuntu.com vor...@debian.org signature.asc Description: PGP signature -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: libgit2 switch from mbedTLS to OpenSSL
On Wed, 29 Jun 2022 at 20:33, Simon Chopin wrote: > Hi! > > As part of our efforts to support the Rust toolchain in main, we need to > have libgit2 in main (dependency of cargo). However, it currently links > against mbedTLS for its HTTPS backend rather than OpenSSL, for licensing > reasons IIUC. Those reasons would now be invalid with the new OpenSSL > 3.0 licensing. > > I'd like to switch it back to OpenSSL to avoid pulling yet another TLS > implementation in main, however I'm a bit fuzzy whether this would > constitute a breaking change for the libgit2 package. The libgit2 > library does not expose anything from its crypto implem as part of its > API, nor does it re-export any of their symbols (assuming I understand > the output of readelf -s correctly). > > Could someone confirm that this does not represent a breaking change? > I can't see any way that the selection of the backend leaks into the ABI in a quick poke around in libgit2. I presume you've built the .so both ways and looked at the dynamic symbol tables? (actually the symbols file probably helps here!) If the same names are exported then we'd only be in trouble if the arguments to a function have changed somehow and I can't see how that would happen given the libgit2 headers. Cheers, mwh -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: libgit2 switch from mbedTLS to OpenSSL
Quoting Heinrich Schuchardt (2022-06-29 12:56:57) > On 6/29/22 10:33, Simon Chopin wrote: > > Hi! > > > > As part of our efforts to support the Rust toolchain in main, we need to > > have libgit2 in main (dependency of cargo). However, it currently links > > against mbedTLS for its HTTPS backend rather than OpenSSL, for licensing > > reasons IIUC. Those reasons would now be invalid with the new OpenSSL > > 3.0 licensing. > > > > I'd like to switch it back to OpenSSL to avoid pulling yet another TLS > > implementation in main, however I'm a bit fuzzy whether this would > > constitute a breaking change for the libgit2 package. The libgit2 > > library does not expose anything from its crypto implem as part of its > > API, nor does it re-export any of their symbols (assuming I understand > > the output of readelf -s correctly). > > > > Could someone confirm that this does not represent a breaking change? > > Libgit2 is licensed under GPLv2 which is incompatible with the Apache v2 > license of OpenSSL 3.0 (see > https://www.gnu.org/licenses/license-list.html.en). > > But a "Linking Exception" is present in the COPYRIGHT file of libgit2. > Please, recheck if that exception is enough for your use case. Looking closer at the linking exception, I think we're good since it is rather broad. -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
Re: libgit2 switch from mbedTLS to OpenSSL
On 6/29/22 10:33, Simon Chopin wrote: Hi! As part of our efforts to support the Rust toolchain in main, we need to have libgit2 in main (dependency of cargo). However, it currently links against mbedTLS for its HTTPS backend rather than OpenSSL, for licensing reasons IIUC. Those reasons would now be invalid with the new OpenSSL 3.0 licensing. I'd like to switch it back to OpenSSL to avoid pulling yet another TLS implementation in main, however I'm a bit fuzzy whether this would constitute a breaking change for the libgit2 package. The libgit2 library does not expose anything from its crypto implem as part of its API, nor does it re-export any of their symbols (assuming I understand the output of readelf -s correctly). Could someone confirm that this does not represent a breaking change? Cheers, -- Simon Chopin Foundations Team Ubuntu Core Dev simon.cho...@canonical.comscho...@ubuntu.com Libgit2 is licensed under GPLv2 which is incompatible with the Apache v2 license of OpenSSL 3.0 (see https://www.gnu.org/licenses/license-list.html.en). But a "Linking Exception" is present in the COPYRIGHT file of libgit2. Please, recheck if that exception is enough for your use case. Best regards Heinrich -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
libgit2 switch from mbedTLS to OpenSSL
Hi! As part of our efforts to support the Rust toolchain in main, we need to have libgit2 in main (dependency of cargo). However, it currently links against mbedTLS for its HTTPS backend rather than OpenSSL, for licensing reasons IIUC. Those reasons would now be invalid with the new OpenSSL 3.0 licensing. I'd like to switch it back to OpenSSL to avoid pulling yet another TLS implementation in main, however I'm a bit fuzzy whether this would constitute a breaking change for the libgit2 package. The libgit2 library does not expose anything from its crypto implem as part of its API, nor does it re-export any of their symbols (assuming I understand the output of readelf -s correctly). Could someone confirm that this does not represent a breaking change? Cheers, -- Simon Chopin Foundations Team Ubuntu Core Dev simon.cho...@canonical.comscho...@ubuntu.com -- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel