[Linux-ha-dev] GnuTLS, OpenSSL and management daemon
Horms
horms at verge.net.au
Tue Aug 16 22:44:11 MDT 2005
On Tue, Aug 16, 2005 at 12:36:39PM -0600, Alan Robertson wrote:
> Guochun Shi wrote:
> >
> >At 05:05 PM 8/16/2005 +0800, you wrote:
> >>Hi,
> >>
> >>I am working on the GUI now.
> >great, I remember some ppl were working on GUI, any news from them?
> >
> >
> >>We need a security connection between the remote GUI client and the
> >>management daemon.
> >
> >any design document available?
> >
> >>As we know that the most popular OpenSSL has some license issue, refer to
> >>horms's email, or http://www.gnome.org/~markmc/openssl-and-the-gpl.html
> >>
> >>So we have following choices:
> >>1. add the exception cause as OpenSSL request.
> >>2. seperate the transport layer from management daemon to avoid link to
> >>OpenSSL, and make the transport layer as a seprate program or daemon.
> >>3. use GnuTLS. Who has experience about GnuTLS? Any comment?
> >>4. IPsec, it needs above 2.6 or it must patch on kernel as I know.
> >
> >2 looks good to me. If we don't make the transport layer a library, I
> >assume it's all ok
> >
>
> For those complaining about option (2), the license problem is very
> easily contained, and very easily solved in this code. If it's linked
> against any other GPL code (like heartbeat), then it's very difficult to
> get all the permissions from all the copyright owners.
I am concerend about how this approach addresses the licence problem.
If it itself a library, then I don't think it solves the problem at all.
And if it is some sort of stand alone process, limited to communicating
via a socket, then thats not nearly as powerful an API as linking code
in. If we just want something that translates cyphertext into plaintext
from a socket and vice versa, then prehaps just using stunnel is a good
solution.
I am also concerned about the packaging implications of this
(mainly because I spend a non-trivial ammount of time doing packaging).
Are we to release separate tarballs, that get packages separately
under (slightly) different licences? Is it to be come a code-sink
for not-quite GPL code?
Sorry if I sound negative, I definately want to see a good solution to
this. And I think 2 is reasonable enough. I just want to make sure
we cover all the holes before deciding to go that way.
--
Horms
More information about the Linux-HA-Dev
mailing list