PokerTH orphaned

Hans de Goede hdegoede at redhat.com
Tue Aug 2 09:36:20 UTC 2011 

Hi,

On 08/01/2011 09:44 PM, Ryan Rix wrote:
> On Mon 1 August 2011 19:43:37 Tomas Mraz wrote:
>> On Mon, 2011-08-01 at 10:29 -0700, Ryan Rix wrote:
>>> On Mon 1 August 2011 11:46:00 Jussi Lehtola wrote:
>>>> Hi,
>>>>
>>>>
>>>> I've just orphaned PokerTH, since I'm trying to free myself some
>>>> time
>>>> and I don't use it myself.
>>>>
>>>> PokerTH does not currently build on rawhide, since OpenSSL support
>>>> has
>>>> been dropped from GnuTLS a week ago (BZ #726697). Getting it to
>>>> build
>>>> again would then require building against OpenSSL (and asking
>>>> upstream
>>>> for a GPL license exception), or shipping a private copy of GnuTLS.
>>>
>>> I picked up rawhide through F-14. If I cant get this building, I'll
>>> orphan it again in a week's time.
>>
>> Shipping a private copy of GnuTLS would have to get an exception I do
>> not think such exception should/would be granted. I can only recommend
>> you to look at the NSS OpenSSL compatibility support library and
>> patching PokerTH to use it instead of the GnuTLS.
>
> I've talked to a few people about this now, including some folks at PokerTH
> about it, and they're confused as to why this change is happening in GnuTLS at
> all, and your comment in the bug report did not seem to explain it to them;
> could you (or anyone) explain better why OpenSSL support in gnutls is a Bad
> Thing?

Ryan, have you read the initial description of:
https://bugzilla.redhat.com/show_bug.cgi?id=460310

?

The problem is that gnutls's openssl compatibility uses the same symbol names
as openssl itself thus polluting the dynamic linker symbol namespace. So if
an application uses a library which is linked against openssl (for example
ldap libs through pam) and uses gnutls-openssl then the ldap libraries will
end up calling functions inside gnutls-openssl rather then inside openssl,
since the gnutls-openssl symbols are already present in the dynamic linkers
symbol namespace. This then goes boom big time, since the 2 are not ABI compatible.

Since gnutls-openssl is not ABI compatible it should not be using the same
function / variable names.

Tomas has chosen to fix this problem by simply disabling the openssl compat
part of gnutls (which as the above bug shows is broken by design) given that
only 3 apps use this, this seems like a sane choice to me.

The best way forward is probably to ask PokerTH upstream to add the
standard openssl license exception boilerplate to their license, I did
so successfully with gkrellm and switched to simply using the real openssl.

Regards,

Hans

More information about the devel mailing list