Package: openconnect
Version: 5.03-1
Severity: normal
Tags: patch
Dear Maintainer,
The openconnect package in debian builds against both OpenSSL and
GnuTLS, and links in both of these libraries. This is two separate
TLS stacks that need to be audited for the package to work correctly.
It also introduces potential licensing concerns due to the mix of
OpenSSL and GPL'ed code (i don't know whether openconnect's LGPL
licensing itself conflicts with OpenSSL's licensing, and i don't know
what effect this has on GPL'ed downstream dependencies like
network-manager).
Both of the above concerns can be avoided by building openconnect
solely against GnuTLS, which appears to support all the features
needed.
I'm attaching a patch that resolves this for 5.03 (in unstable). the
patch for 5.99 (in experimental) is basically identical. i can submit
it explicitly as well if that would be useful.
Thanks for maintaining openconnect in debian!
--dkg
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.13-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openconnect depends on:
ii libc6 2.18-4
ii libgnutls26 2.12.23-13
ii liboath0 2.0.2-2
ii libopenconnect2 5.03-1
ii libproxy1 0.4.11-4
ii libssl1.0.0 1.0.2~beta1-1
ii libxml2 2.9.1+dfsg1-3
ii vpnc-scripts 0.1~git20120602-2
ii zlib1g 1:1.2.8.dfsg-1
openconnect recommends no packages.
openconnect suggests no packages.
-- debconf-show failed
>From dd9690636fe3e6dffdcf01ad0a2df062403b91d8 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <d...@fifthhorseman.net>
Date: Wed, 26 Mar 2014 17:15:17 -0400
Subject: [PATCH] use GPL-compatible libraries (drop openssl, rely on modern
GnuTLS)
note that this removes the openconnect_print_err_cb symbol from the
libopenconnect shared object.
This symbol should probably never have been exported in the first
place, since it's declared in openconnect-internal.h (which is not
shipped in libopenconnect-dev), and it is only used internally, to
pass as a callback to openssl, when openssl is in used.
---
debian/changelog | 7 +++++++
debian/control | 5 ++---
debian/libopenconnect2.symbols | 1 -
debian/rules | 2 +-
4 files changed, 10 insertions(+), 5 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index fc82592..4a0d293 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+openconnect (5.03-1.1) unstable; urgency=medium
+
+ * Non-Maintainer Upload
+ * move to gnutls28, drop openssl entirely.
+
+ -- Daniel Kahn Gillmor <d...@fifthhorseman.net> Wed, 26 Mar 2014 17:14:37 -0400
+
openconnect (5.03-1) unstable; urgency=medium
* New upstream release.
diff --git a/debian/control b/debian/control
index 7e5ae20..a4c3611 100644
--- a/debian/control
+++ b/debian/control
@@ -7,11 +7,10 @@ Build-Depends: debhelper (>= 9),
groff,
pkg-config,
python,
- libgnutls-dev (>= 2.12.16),
+ libgnutls28-dev,
liboath-dev,
libp11-kit-dev,
libproxy-dev,
- libssl-dev (>= 0.9.8g-14),
libxml2-dev,
zlib1g-dev
Standards-Version: 3.9.5
@@ -46,7 +45,7 @@ Section: libdevel
Architecture: any
Multi-Arch: same
Depends: ${misc:Depends}, libopenconnect2 (= ${binary:Version}),
- libgnutls-dev (>= 2.12.16),
+ libgnutls28-dev,
libp11-kit-dev,
libproxy-dev,
libxml2-dev,
diff --git a/debian/libopenconnect2.symbols b/debian/libopenconnect2.symbols
index 08d7d02..b3f1552 100644
--- a/debian/libopenconnect2.symbols
+++ b/debian/libopenconnect2.symbols
@@ -27,7 +27,6 @@ libopenconnect.so.2 libopenconnect2 #MINVER#
openconnect_open_https@OPENCONNECT_PRIVATE 4.00
openconnect_parse_url@OPENCONNECT_2.0 4.00
openconnect_passphrase_from_fsid@OPENCONNECT_2.0 4.00
- openconnect_print_err_cb@OPENCONNECT_PRIVATE 4.00
openconnect_random@OPENCONNECT_PRIVATE 4.00
openconnect_reset_ssl@OPENCONNECT_2.0 4.00
openconnect_set_cafile@OPENCONNECT_2.0 4.00
diff --git a/debian/rules b/debian/rules
index 3d3a8d6..be0db7f 100755
--- a/debian/rules
+++ b/debian/rules
@@ -10,7 +10,7 @@ override_dh_auto_configure:
dh_auto_configure -- \
--disable-static \
--with-gnutls \
- --without-openssl-version-check \
+ --without-openssl \
--htmldir=/usr/share/doc/openconnect/html \
--with-system-cafile=/etc/ssl/certs/ca-certificates.crt \
--with-vpnc-script=/usr/share/vpnc-scripts/vpnc-script
--
1.9.0
