libgit2 switch from mbedTLS to OpenSSL

Simon Chopin simon.chopin at
Thu Jun 30 11:48:43 UTC 2022

Quoting Heinrich Schuchardt (2022-06-29 12:56:57)
> On 6/29/22 10:33, Simon Chopin wrote:
> > Hi!
> >
> > As part of our efforts to support the Rust toolchain in main, we need to
> > have libgit2 in main (dependency of cargo). However, it currently links
> > against mbedTLS for its HTTPS backend rather than OpenSSL, for licensing
> > reasons IIUC. Those reasons would now be invalid with the new OpenSSL
> > 3.0 licensing.
> >
> > I'd like to switch it back to OpenSSL to avoid pulling yet another TLS
> > implementation in main, however I'm a bit fuzzy whether this would
> > constitute a breaking change for the libgit2 package. The libgit2
> > library does not expose anything from its crypto implem as part of its
> > API, nor does it re-export any of their symbols (assuming I understand
> > the output of readelf -s correctly).
> >
> > Could someone confirm that this does not represent a breaking change?
> Libgit2 is licensed under GPLv2 which is incompatible with the Apache v2
> license of OpenSSL 3.0 (see
> But a "Linking Exception" is present in the COPYRIGHT file of libgit2.
> Please, recheck if that exception is enough for your use case.

Looking closer at the linking exception, I think we're good since it is
rather broad.

More information about the ubuntu-devel mailing list