I haven't investigated the previous revisions and ebuild of vpnc but now it only requires gnutls and ignores openssl. I wondered why and decided to improve the ebuild giving the user choice to link against openssl and stay away from gnutls. Here is a patch for the ebuild. Feel free to improve the ewarn and elog messages. What needs to be done is LICENSE line which should, conditionally, include openssl license "if ! use gnutls".
Created attachment 246027 [details, diff] vpnc-0.5.3_p449-r1.ebuild.patch
The logic of ssl and gnutls is a bit more complex, it should not have an ssl USE flag but have rather a gnutls? for GnuTLS usage and !gnutls? for OpenSSL usage.. but you also should add a bindist USE flag as an alias for gnutls... You can check net-libs/liboauth where I did something similar.
Created attachment 248393 [details, diff] vpnc-0.5.3_p449-r1.ebuild.patch Updated patch. Tested USE=gnutls and USE=-gnutls.
Successfully tested against Cisco Systems, Inc ASA5520 Version 8.3(2) built by builders on Fri 30-Jul-10 17:49 with /etc/vpnc/blah.conf: IPSec ID me IPSec gateway 4.3.2.1 IPSec secret bb Xauth username aa Xauth password aa IKE Authmode psk NAT Traversal Mode cisco-udp IPSEC target network 1.2.3.4 Debug 2
This has been incorporated into the latest snapshot vpnc-0.5.3_p451, although slightly modifed. Thank you for your input and sorry for the delay, but I do not use vpnc anymore which lifts the pressure on me. If you are interested in helping maintaining this software, please contact me.
What was the motivation for this - why is "stay away from gnutls" a good reason to switch back to openssl?
(In reply to comment #6) > What was the motivation for this - why is "stay away from gnutls" a good reason > to switch back to openssl? > I haven't investigated yet the current ebuild in portage but my idea was to provide more flexibility to users so that ebuild would bot insist on gnutls. I believe the ebuild gives you more freedom now. Hybrid auth should be working now with either lib but the resulting binaries are bound to different licensing (gnutls vs. openssl). If you are not re-distributing your vpnc binary just pick up either of the two libs you like more. Does it answer your question?
(In reply to comment #7) > (In reply to comment #6) > > What was the motivation for this - why is "stay away from gnutls" a good reason > > to switch back to openssl? > > > > I haven't investigated yet the current ebuild in portage but my idea was to > provide more flexibility to users so that ebuild would bot insist on gnutls. I > believe the ebuild gives you more freedom now. Hybrid auth should be working > now with either lib but the resulting binaries are bound to different licensing > (gnutls vs. openssl). If you are not re-distributing your vpnc binary just pick > up either of the two libs you like more. Does it answer your question? Yes, the current ebuild gives you more freedom. However: the version _with_ licensing issues is now default. I wonder, whether that is an issue. I think, it's (maybe unwritten) gentoo policy to prefer the solution with no licensing conflicts. Not sure though.
(In reply to comment #8) > Yes, the current ebuild gives you more freedom. However: the version _with_ > licensing issues is now default. I am not an official developer so do not know. > I wonder, whether that is an issue. I think, it's (maybe unwritten) gentoo > policy to prefer the solution with no licensing conflicts. Not sure though. Do not know what Christian will answer, maybe try to ask somebody else meanwhile. Myself have no problem with changing the default. My personal objection was to stick to openssl as I have it everywhere while gnutls I needed to install only because of vpnc. ;) >
(In reply to comment #9) > (In reply to comment #8) > > I wonder, whether that is an issue. I think, it's (maybe unwritten) gentoo > > policy to prefer the solution with no licensing conflicts. Not sure though. > > Do not know what Christian will answer, maybe try to ask somebody else > meanwhile. Myself have no problem with changing the default. My personal > objection was to stick to openssl as I have it everywhere while gnutls I needed > to install only because of vpnc. ;) I once removed OpenSSL support because GnuTLS is the "more free" solution. So I will change it to default to GnuTLS. Thanks for making me rethink.
