[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Do we need to bump the shared library version for 2.4.0?
From: |
Simon Josefsson |
Subject: |
Do we need to bump the shared library version for 2.4.0? |
Date: |
Mon, 26 May 2008 16:31:31 +0200 |
User-agent: |
Gnus/5.110009 (No Gnus v0.9) Emacs/22.2 (gnu/linux) |
In 2.3.x we have moved several symbols from libgnutls-extra to libgnutls
(see complete explanation in the 2.4.0 release notes draft below), but
do we need to bump the shared library version? No symbols have been
removed from any library libgnutls*, except for the symbols that have
been moved. libgnutls-extra links to libgnutls.
I see several solutions here:
1) Increment the shared library version of libgnutls*.
This will cause an unnecessary shared library version break for
libgnutls, which have only had new functions added to it. Given the
problem described in 2) I'm not sure how it could be avoided though.
2) Separate the shared library versions for libgnutls and
libgnutls-extra, and increment only the libgnutls-extra version.
This may be the The Right Thing to do, but it causes a new problem:
an application linking to libgnutls-extra.so.26 (2.2.x) may pull in
libgnutls.so from 2.4.x, which won't work together. Both
libgnutls.so and libgnutls-extra.so would then provide the same
symbols. If the application uses the one from libgnutls.so all is
fine, but it will break of the ones from libgnutls-extra.so is used.
3) Don't increment the shared library version at all.
The justification would be that we haven't removed any symbols, all
symbols in libgnutls-extra are still available via libgnutls and work
the same way. The only thing that would break here is if someone is
dlopen'ing libgnutls-extra.so and calls the openpgp related
functions. Strictly speaking I'm not sure this is a valid approach,
since we HAVE removed symbols from libgnutls-extra.
Thoughts?
I'm leaning towards 1) because of the problem in 2) and 3), however I do
realize this will generate a lot of work for our packagers.
Thanks,
Simon
What's New
==========
Major end-user visible changes compared to the v2.2 branch:
* The certtool --inder and --outder has been replaced by --inraw and --outraw.
This aligns terminology with OpenPGP, which doesn't use DER
encoding. The old parameters will continue to work for some time.
* Certtool now confirm passwords and changes permissions of private key files.
* The default handshake size limit has been increased to 48kb.
It appears as if some valid handshakes are large due to sending many
CA certificates. (The earlier limit was 16kb.)
* LZO compression is now disabled by default.
The main reason is that LZO compression in TLS is not standardized,
but license compatiblity issues with minilzo triggered us to make
this decision now.
* Improvements for cross-compilation to Windows and OpenWRT.
* The look of the GTK-DOC manual has been improved.
Major developer visible changes compared to the v2.2 branch:
* Full OpenPGP support is part of libgnutls, licensed under the LGPL.
* New APIs to access the raw X.509 Subject and Issuer DN's and
elements from the certificate credentials structure, thanks to Joe
Orton.
* Names of constants to affect certificate printing changed.
The constants are used for OpenPGP too, which the names didn't
reflect, so the following change has been made:
Old name New name
GNUTLS_X509_CRT_FULL GNUTLS_CRT_PRINT_FULL
GNUTLS_X509_CRT_ONELINE GNUTLS_CRT_PRINT_ONELINE
GNUTLS_X509_CRT_UNSIGNED_FULL GNUTLS_CRT_PRINT_UNSIGNED_FULL
The old names will be mapped to the new names for some time.
* The function gnutls_openpgp_privkey_get_id has been renamed to
gnutls_openpgp_privkey_get_key_id.
* Replaced all uses of alloca with malloc and free.
* We no longer build with -D_REENTRANT -D_THREAD_SAFE.
We have been unable to find a documented rationale for this
practice.
Of course, many smaller fixes have been made, see the ChangeLog file.
API/ABI changes in GnuTLS 2.4
=============================
All OpenPGP functions have been moved from libgnutls-extra to
libgnutls, and several new functions have been added to support
OpenPGP subkeys (see below). Even though all programs that link to
libgnutls-extra for the OpenPGP symbols also links to libgnutls, we
felt that strictly speaking we have removed some symbols from the
libgnutls-extra library. Removing a function from a shared library
requires you to increment the shared library version. We are thus
increasing the shared library version of GnuTLS. You need to
recompile all your programs linked with GnuTLS to make them work with
this GnuTLS release.
(We considered to bump the shared library version only for
libgnutls-extra, since again strictly speaking we have not removed any
functions from libgnutls, but that may lead to problems when a
libgnutls-extra from 2.2.x pulls in libgnutls from 2.4.x. By
incrementing the version of both libraries, it is guaranteed that they
will only be linked with each other.)
This release adds a small set of new API functions:
gnutls_x509_dn_deinit
gnutls_x509_dn_export
gnutls_x509_dn_import
gnutls_x509_dn_init
Used to handle X.509 Certificate DN's directly.
gnutls_hex2bin
Converts a data buffer to hex. Useful for handling PSK/SRP shared
secrets.
gnutls_certificate_get_x509_cas
gnutls_certificate_get_x509_crls
gnutls_certificate_get_openpgp_keyring
Direct access to credential elements.
gnutls_openpgp_crt_get_auth_subkey
gnutls_openpgp_crt_get_key_id
gnutls_openpgp_crt_get_pk_dsa_raw
gnutls_openpgp_crt_get_pk_rsa_raw
gnutls_openpgp_crt_get_preferred_key_id
gnutls_openpgp_crt_get_revoked_status
gnutls_openpgp_crt_get_subkey_count
gnutls_openpgp_crt_get_subkey_creation_time
gnutls_openpgp_crt_get_subkey_expiration_time
gnutls_openpgp_crt_get_subkey_id
gnutls_openpgp_crt_get_subkey_idx
gnutls_openpgp_crt_get_subkey_pk_algorithm
gnutls_openpgp_crt_get_subkey_pk_dsa_raw
gnutls_openpgp_crt_get_subkey_pk_rsa_raw
gnutls_openpgp_crt_get_subkey_revoked_status
gnutls_openpgp_crt_get_subkey_usage
gnutls_openpgp_crt_print
gnutls_openpgp_crt_set_preferred_key_id
gnutls_openpgp_keyring_get_crt
gnutls_openpgp_keyring_get_crt_count
gnutls_openpgp_privkey_export
gnutls_openpgp_privkey_export_dsa_raw
gnutls_openpgp_privkey_export_rsa_raw
gnutls_openpgp_privkey_export_subkey_dsa_raw
gnutls_openpgp_privkey_export_subkey_rsa_raw
gnutls_openpgp_privkey_get_fingerprint
gnutls_openpgp_privkey_get_key_id
gnutls_openpgp_privkey_get_pk_algorithm
gnutls_openpgp_privkey_get_preferred_key_id
gnutls_openpgp_privkey_get_revoked_status
gnutls_openpgp_privkey_get_subkey_count
gnutls_openpgp_privkey_get_subkey_creation_time
gnutls_openpgp_privkey_get_subkey_expiration_time
gnutls_openpgp_privkey_get_subkey_id
gnutls_openpgp_privkey_get_subkey_idx
gnutls_openpgp_privkey_get_subkey_pk_algorithm
gnutls_openpgp_privkey_get_subkey_revoked_status
gnutls_openpgp_privkey_set_preferred_key_id
New OpenPGP related functions.
The function gnutls_openpgp_crt_get_key_id is the same as the old
from gnutls_openpgp_crt_get_id, see above.
The release also adds a new header file 'gnutls/crypto.h', however it
is currently not used. During the next development branch, it will be
used to provide functions for applications to replace parts of the
default libgcrypt low-level crypto implementation. (For example,
applications could provide its own random-number generator.)
- Do we need to bump the shared library version for 2.4.0?,
Simon Josefsson <=