diff options
Diffstat (limited to 'gnurl.html.j2')
| -rw-r--r-- | gnurl.html.j2 | 188 |
1 files changed, 188 insertions, 0 deletions
diff --git a/gnurl.html.j2 b/gnurl.html.j2 new file mode 100644 index 00000000..ed73b57e --- /dev/null +++ b/gnurl.html.j2 @@ -0,0 +1,188 @@ +{% extends "common/base.j2" %} +{% block body_content %} +<div class="container-fluid"> + <div class="container text-center"> + <h1>{{ _("gnurl / libgnurl") }}</h1> + <p> + {% trans %} + libgnurl is a fork of libcurl, which is mostly for GNUnet but it might + be usable for others, hence we're releasing the code on this website + to the general public. Please read the README for instructions, as you + must supply the correct options to configure to get a proper build of + libgnurl. In addition to the source as a TAR, we also offer the + changes we made against libcurl's Git repository to create + libgnurl. In the following, I will explain the motiviations behind + this fork. + {% endtrans %} + </p> + <h3>{{_("Motivation") }}</h3> + <p> + {% trans %} + cURL supports a bunch of crypto backends. GNUnet requires the use of + GnuTLS, but other variants are used by some distributions. Supporting + other crypto backends would again expose us to a wider array of + security issues, may create licensing issues and most importantly + introduce new bugs as some crypto backends are known to introduce + subtle runtime issues. While it is possible to have two versions of + libcurl installed on the same system, this is error-prone, especially + as if we are linked against the wrong version, the bugs that arise + might be rather subtle. + {% endtrans %} + </p> + <p> + {% trans %} + For GNUnet, we also need a particularly modern version of + GnuTLS. Thus, it would anyway be necessary to recompile cURL for + GNUnet. But what happens if one links cURL against this version of + GnuTLS? Well, first one would install GnuTLS by hand in the + system. Then, we build cURL. cURL will build against it just fine, but + the linker will eventually complain bitterly. The reason is that cURL + also links against a bunch of other system libraries (gssapi, ldap, + ssh2, rtmp, krb5, sasl2, see discussion on obscure protocols above), + which --- as they are part of the distribution --- were linked against + an older version of GnuTLS. As a result, the same binary would be + linked against two different versions of GnuTLS. That is typically a + recipe for disaster. Thus, in order to avoid updating a dozen system + libraries (and having two versions of those installed), it is + necessary to disable all of those cURL features that GNUnet does not + use, and there are many of those. For GNUnet, the more obscure + protocols supported by cURL are close to dead code --- mostly + harmless, but not useful. However, as some application may use one of + those features, distributions are typically forced to enable all of + those features, and thus including security issues that might arise + from that code. + {% endtrans %} + </p> + <p> + {% trans %} + So to use a modern version of GnuTLS, a sane approach is to disable + all of the "optional" features of cURL that drag in system libraries + that link against the older GnuTLS. That works, except that one should + then NEVER install that version of libcurl in say /usr or /usr/local, + as that may break other parts of the system that might depend on these + features that we just disabled. Libtool versioning doesn't help here, + as it is not intended to deal with libraries that have optional + features. Naturally, installing cURL somewhere else is also + problematic, as we now need to be really careful that the linker will + link GNUnet against the right version. Note that none of this can + really be trivially fixed by the cURL developers. + {% endtrans %} + </p> + <h3>{{_("Rename to fix") }}</h3> + <p> + {% trans %} + At this point, developers that don't want to rebuild an entire + distribution from scratch get grumpy. Grumpy developers do silly + things, like forking code to fix it. I called the fork gnurl (to be + pronounced with a grumpy voice and an emphasis on the R) as it is bits + of cURL, a bit more GNUish, for GnuNet, and gnurl can be pronounced to + indicate the grumpy origins. + {% endtrans %} + </p> + <p> + {% trans %} + How does forking fix it? Easy. First, we can get rid of all of the + compatibility issues --- if you use libgnurl, you state that you don't + need anything but HTTP/HTTPS. Those applications that need more, + should stick with the original cURL. Those that do not, can choose to + move to something simpler. As the library gets a new name, we do not + have to worry about tons of packages breaking as soon as one rebuilds + it. So renaming itself and saying that "libgnurl = libcurl with only + HTTP/HTTPS support and GnuTLS" fixes 99% of the problems that darkened + my mood. Note that this pretty much CANNOT be done without a fork, as + renaming is an essential part of the fix. Now, there might be creative + solutions to achieve the same thing within the standard cURL build + system, but I'm not happy to wait for a decade for Daniel to review + the patches. The changes libgnurl makes to curl are miniscule and can + easily be applied again and again whenever libcurl makes a new + release. + {% endtrans %} + </p> + <h3>{{_("Summary") }}</h3> + <p> + {% trans %} + At this point, developers that don't want to rebuild an entire + distribution from scratch get grumpy. Grumpy developers do silly + things, like forking code to fix it. I called the fork gnurl (to be + pronounced with a grumpy voice and an emphasis on the R) as it is bits + of cURL, a bit more GNUish, for GnuNet, and gnurl can be pronounced to + indicate the grumpy origins. + {% endtrans %} + </p> + <h3>{{_("Using libgnurl") }}</h3> + <p> + {% trans %} + Projects that use cURL only for HTTP/HTTPS and that would work + with GnuTLS should be able to switch to libgnurl by changing + "-lcurl" to "-lgnurl". That's it. No changes to the source code + should be required. Continue to read the cURL documentation --- + as libgnurl strives for bug-for-bug compatibility with the + HTTP/HTTPS/GnuTLS subset of cURL. However, we're happy to add + new features relating to this core subset and might be easier to + convince than the cURL developers. + {% endtrans %} + </p> + <p> + {% trans %} + libgnurl and gnurl are not intended to be used as a replacement + for curl for users. Since no conflicts in filenames should occur + you are not expected to remove curl to make use of gnurl and + viceversa. + {% endtrans %} + </p> + </div> +</div> + +<div class="container adorn_h3_bracket"> + <div class="row"> + <div class="col-lg-6"> + <h3>{{ _("Source Code") }}</h3> + <p> + {% trans %} + You can get the Gnurl Git repository using: + git clone https://git.taler.net/gnurl.git/ + The versions are checked in as signed git tags. + {% endtrans %} + </p> + </div> + <div class="col-lg-6"> + <h3>{{ _("Downloads") }}</h3> + <p> + {% trans %} + Releases are published on <a href="https://ftp.gnu.org/gnu/gnunet/">ftp.gnu.org/gnu/gnunet</a>. + gnURL is available from within a variety of distributions and package managers. + To some extent officially supported and maintained is gnURL within GNU Guix, the package manager (available as "gnurl"), + as well as the collaborative Gentoo ebuild collection (<a href="https://overlays.gentoo.org">overlay</a>) + <a href="https://gnunet.org/git/youbroketheinternet-overlay.git/">youbroketheinternet</a>. + {% endtrans %} + </p> + </div> + </div> + <div class="row"> + <div class="col-lg-6"> + <h3>{{ _("Reporting Bugs") }}</h3> + <p> + {% trans %} + You can report bugs on our bug tracker: + <a href="https://gnunet.org/bugs/">gnunet.org/bugs</a>. Alternatively + you can use our bug mailinglist, but we prefer to track bugs + on the bugtracker. + {% endtrans %} + </p> + </div> + <div class="col-lg-6"> + <h3>{{ _("Maintainer and Cryptographic signatures") }}</h3> + <p> + {% trans %} + libgnurl is maintained by Nils Gillmann. + Releases are signed + with the OpenPG Key <b>A88C8ADD129828D7EAC02E52E22F9BBFEE348588</b>, + with the key fingerprint <b>A88C 8ADD 1298 28D7 EAC0 2E52 E22F 9BBF EE34 8588</b>. + {% endtrans %} + </p> + </div> + </div> +</div> + +</div> <!-- /container --> +{% endblock body_content %} |