Re: [Pan-users] [gentooers] New pan/ssl problem from gnutls upgrade

[Duncan]

walt posted on Thu, 01 Nov 2012 15:22:39 -0700 as excerpted:

> The 'testing/unstable' version of gentoo upgraded gnutls today
> (finally!) but then I discovered pan could not open a successful
> encrypted session with any of my news servers :(
> 
> By painful trial-and-error I found that the update to gnutls from
> 2.12.20 today didn't break pan, it broke glib-networking instead, which
> is now linked against the new gnutls-3.1.3
> 
> I haven't tested enough yet to know if any other tls-using apps are also
> broken, but breaking pan is more than I can tolerate so I'm downgrading
> gnutls right now :)
> 
> Anyway, gentoo is currently using glib-networking-2.32.3 and I'm
> wondering if that version is too old to work with gnutls-3.x
> 
> Heinrich, are you using glib-networking?  If yes, what version?
> 
> Duncan, have you done the update yet?

I've done the update, yes, but unfortunately don't believe I can be much 
help, as while I'm building pan with gnutls, I'm not actually /using/ 
gnutls for gmane, the only server I have active ATM (I'm more or less 
unemployed ATM as I'm getting some work but not enough to survive on long 
or even medium term, so have time to do news, but no money).

* I actually upgraded to gnutls-3.x quite some time ago, when pan first 
switched from openssl to gnutls (required for license reasons, openssl 
isn't gpl compatible and pan's gplv2) and AFAIK required gnutls-3.x for a 
bit.

* I was running secure pan connections in the early testing, but 
somewhere along the line something broke, and I switched back to unsecure 
connections.

* But, I /have/ been upgrading gnutls regularly since then, and of course 
rebuilding pan-9999 against the new gnutls when I updated pan, until 
gnutls-3.1.2.

* gnutls-3.1.3 originally had build issues.  It was still officially 
masked at the time, so I just modified my package.unmask to < 3.1.3 and 
copied the 3.1.2 ebuild from /var/db/pkg to my overlay, since it was 
removed from-tree when 3.1.3 was introduced.

* But the gnutls-3.1.3 build issues turned out to be parallel-make 
related, and a few days later they were resolved.

* Soon thereafter, the tree issues (boost or glibc or icu, IDR which) 
that had kept gnutls-3.x masked were resolved as well, and the current 
gnutls-3.x, the now working 3.1.3, was officially unmasked.

* I had been tracking some of this thru gentoo-dev list discussions, and 
when I saw 3.1.3 being unmasked, I tried it again.  By this time the 
parallel-make issues had been patched and I could build and install it 
just fine.

* pan (and everything else I run that deps on gnutls) seems fine with it, 
but that's not surprising, because I said, I've been upgrading gnutls 
regularly, so had long ago worked out any problems beyond the latest 
3.1.2 -> 3.1.3 bump, and that problem turned out to be the parallel-make 
problem, which was resolved.

* But, as I said, I've not actually been /running/ pan with secure/gnutls 
connections for some months now, so while I know pan's building fine with 
it, and working fine too, at least with non-secure connections, I really 
can't tell you what secure connections are doing, at all.


So I know there's no build or unsecure runtime issues with it and pan, 
but I don't know about secure-connections, and that seems to be the one 
thing you haven't gotten working, either.


But, I've been meaning to try secure connections again one of these 
days.  Now's as good a time as any, I guess, and the glib-networking clue 
you mentioned could be useful if I run into problems.

Let me get back to you.

-- 
Duncan - List replies preferred.   No HTML msgs.
"Every nonfree program has a lord, a master --
and if you use the program, he is your master."  Richard Stallman