[Bug 1943530] Re: link libkrb5 with openssl

Dimitri John Ledkov 1943530 at bugs.launchpad.net
Tue Sep 14 12:18:52 UTC 2021 

krb5 (1.13~alpha1+dfsg-1) experimental; urgency=low

  [ Benjamin Kaduk ]
  * New upstream prerelease:
    - Add support for accessing KDCs via an https proxy using the MS-KKDCP
      protocol, using a plugin provided by the new krb5-k5tls package, which
      uses openssl for the TLS implementation.  The openssl-using code is
      confined to a separate, runtime-loadable, plugin module, in a separate
      package, to ameliorate concerns about GPL code that links libkrb5 running
      into issues with the openssl license.  The Kerberos license is both
    GPL and OpenSSL compatible.  There might be an issue if an application
    was GPL licensed and someone used the OpenSSL plugin with that
    application.  Even that is probably fine provided that no one
    distributes a combination that tends to encourage such usage.  There's
    an existing krb5-pkinit plugin that also links to OpenSSL, but at time
    of integration into Debian no GPLed applications in the archive called
    APIs that would cause that plugin to be loaded.

The above concerns are still valid, and given that currently OpenSSL is
neither GPLv2 or GPLv3 compatible doing this may not be feasible
immediately.

The licensing choices will have to be re-evaluated again, once OpenSSL
v3 is the default OpenSSL implementation in the archive, which is GPLv3
compatible.

** Tags removed: rls-ii-incoming
** Tags added: rls-ii-wontfix

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1943530

Title:
  link libkrb5 with openssl

Status in krb5 package in Ubuntu:
  New

Bug description:
  In Ubuntu we provide a cryptographic core based on a small set of
  packages that we FIPS certify [0]. Applications and libraries should
  not bundle their own crypto code but should use the cryptographic core
  to benefit from the certification, but also importantly to reduce bugs
  due to small cryptographic libraries that that are not studied as much
  as more popular counterparts. This bug is to change libkrb5 to use the
  openssl crypto code instead of bundling its own on the next ubuntu
  release.

  [0]. https://ubuntu.com/security/fips

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1943530/+subscriptions

More information about the foundations-bugs mailing list