path: root/gnurl.html.j2
diff options
Diffstat (limited to 'gnurl.html.j2')
1 files changed, 188 insertions, 0 deletions
diff --git a/gnurl.html.j2 b/gnurl.html.j2
new file mode 100644
index 00000000..ed73b57e
--- /dev/null
+++ b/gnurl.html.j2
@@ -0,0 +1,188 @@
1{% extends "common/base.j2" %}
2{% block body_content %}
3<div class="container-fluid">
4 <div class="container text-center">
5 <h1>{{ _("gnurl / libgnurl") }}</h1>
6 <p>
7 {% trans %}
8 libgnurl is a fork of libcurl, which is mostly for GNUnet but it might
9 be usable for others, hence we're releasing the code on this website
10 to the general public. Please read the README for instructions, as you
11 must supply the correct options to configure to get a proper build of
12 libgnurl. In addition to the source as a TAR, we also offer the
13 changes we made against libcurl's Git repository to create
14 libgnurl. In the following, I will explain the motiviations behind
15 this fork.
16 {% endtrans %}
17 </p>
18 <h3>{{_("Motivation") }}</h3>
19 <p>
20 {% trans %}
21 cURL supports a bunch of crypto backends. GNUnet requires the use of
22 GnuTLS, but other variants are used by some distributions. Supporting
23 other crypto backends would again expose us to a wider array of
24 security issues, may create licensing issues and most importantly
25 introduce new bugs as some crypto backends are known to introduce
26 subtle runtime issues. While it is possible to have two versions of
27 libcurl installed on the same system, this is error-prone, especially
28 as if we are linked against the wrong version, the bugs that arise
29 might be rather subtle.
30 {% endtrans %}
31 </p>
32 <p>
33 {% trans %}
34 For GNUnet, we also need a particularly modern version of
35 GnuTLS. Thus, it would anyway be necessary to recompile cURL for
36 GNUnet. But what happens if one links cURL against this version of
37 GnuTLS? Well, first one would install GnuTLS by hand in the
38 system. Then, we build cURL. cURL will build against it just fine, but
39 the linker will eventually complain bitterly. The reason is that cURL
40 also links against a bunch of other system libraries (gssapi, ldap,
41 ssh2, rtmp, krb5, sasl2, see discussion on obscure protocols above),
42 which --- as they are part of the distribution --- were linked against
43 an older version of GnuTLS. As a result, the same binary would be
44 linked against two different versions of GnuTLS. That is typically a
45 recipe for disaster. Thus, in order to avoid updating a dozen system
46 libraries (and having two versions of those installed), it is
47 necessary to disable all of those cURL features that GNUnet does not
48 use, and there are many of those. For GNUnet, the more obscure
49 protocols supported by cURL are close to dead code --- mostly
50 harmless, but not useful. However, as some application may use one of
51 those features, distributions are typically forced to enable all of
52 those features, and thus including security issues that might arise
53 from that code.
54 {% endtrans %}
55 </p>
56 <p>
57 {% trans %}
58 So to use a modern version of GnuTLS, a sane approach is to disable
59 all of the "optional" features of cURL that drag in system libraries
60 that link against the older GnuTLS. That works, except that one should
61 then NEVER install that version of libcurl in say /usr or /usr/local,
62 as that may break other parts of the system that might depend on these
63 features that we just disabled. Libtool versioning doesn't help here,
64 as it is not intended to deal with libraries that have optional
65 features. Naturally, installing cURL somewhere else is also
66 problematic, as we now need to be really careful that the linker will
67 link GNUnet against the right version. Note that none of this can
68 really be trivially fixed by the cURL developers.
69 {% endtrans %}
70 </p>
71 <h3>{{_("Rename to fix") }}</h3>
72 <p>
73 {% trans %}
74 At this point, developers that don't want to rebuild an entire
75 distribution from scratch get grumpy. Grumpy developers do silly
76 things, like forking code to fix it. I called the fork gnurl (to be
77 pronounced with a grumpy voice and an emphasis on the R) as it is bits
78 of cURL, a bit more GNUish, for GnuNet, and gnurl can be pronounced to
79 indicate the grumpy origins.
80 {% endtrans %}
81 </p>
82 <p>
83 {% trans %}
84 How does forking fix it? Easy. First, we can get rid of all of the
85 compatibility issues --- if you use libgnurl, you state that you don't
86 need anything but HTTP/HTTPS. Those applications that need more,
87 should stick with the original cURL. Those that do not, can choose to
88 move to something simpler. As the library gets a new name, we do not
89 have to worry about tons of packages breaking as soon as one rebuilds
90 it. So renaming itself and saying that "libgnurl = libcurl with only
91 HTTP/HTTPS support and GnuTLS" fixes 99% of the problems that darkened
92 my mood. Note that this pretty much CANNOT be done without a fork, as
93 renaming is an essential part of the fix. Now, there might be creative
94 solutions to achieve the same thing within the standard cURL build
95 system, but I'm not happy to wait for a decade for Daniel to review
96 the patches. The changes libgnurl makes to curl are miniscule and can
97 easily be applied again and again whenever libcurl makes a new
98 release.
99 {% endtrans %}
100 </p>
101 <h3>{{_("Summary") }}</h3>
102 <p>
103 {% trans %}
104 At this point, developers that don't want to rebuild an entire
105 distribution from scratch get grumpy. Grumpy developers do silly
106 things, like forking code to fix it. I called the fork gnurl (to be
107 pronounced with a grumpy voice and an emphasis on the R) as it is bits
108 of cURL, a bit more GNUish, for GnuNet, and gnurl can be pronounced to
109 indicate the grumpy origins.
110 {% endtrans %}
111 </p>
112 <h3>{{_("Using libgnurl") }}</h3>
113 <p>
114 {% trans %}
115 Projects that use cURL only for HTTP/HTTPS and that would work
116 with GnuTLS should be able to switch to libgnurl by changing
117 "-lcurl" to "-lgnurl". That's it. No changes to the source code
118 should be required. Continue to read the cURL documentation ---
119 as libgnurl strives for bug-for-bug compatibility with the
120 HTTP/HTTPS/GnuTLS subset of cURL. However, we're happy to add
121 new features relating to this core subset and might be easier to
122 convince than the cURL developers.
123 {% endtrans %}
124 </p>
125 <p>
126 {% trans %}
127 libgnurl and gnurl are not intended to be used as a replacement
128 for curl for users. Since no conflicts in filenames should occur
129 you are not expected to remove curl to make use of gnurl and
130 viceversa.
131 {% endtrans %}
132 </p>
133 </div>
136<div class="container adorn_h3_bracket">
137 <div class="row">
138 <div class="col-lg-6">
139 <h3>{{ _("Source Code") }}</h3>
140 <p>
141 {% trans %}
142 You can get the Gnurl Git repository using:
143 git clone https://git.taler.net/gnurl.git/
144 The versions are checked in as signed git tags.
145 {% endtrans %}
146 </p>
147 </div>
148 <div class="col-lg-6">
149 <h3>{{ _("Downloads") }}</h3>
150 <p>
151 {% trans %}
152 Releases are published on <a href="https://ftp.gnu.org/gnu/gnunet/">ftp.gnu.org/gnu/gnunet</a>.
153 gnURL is available from within a variety of distributions and package managers.
154 To some extent officially supported and maintained is gnURL within GNU Guix, the package manager (available as "gnurl"),
155 as well as the collaborative Gentoo ebuild collection (<a href="https://overlays.gentoo.org">overlay</a>)
156 <a href="https://gnunet.org/git/youbroketheinternet-overlay.git/">youbroketheinternet</a>.
157 {% endtrans %}
158 </p>
159 </div>
160 </div>
161 <div class="row">
162 <div class="col-lg-6">
163 <h3>{{ _("Reporting Bugs") }}</h3>
164 <p>
165 {% trans %}
166 You can report bugs on our bug tracker:
167 <a href="https://gnunet.org/bugs/">gnunet.org/bugs</a>. Alternatively
168 you can use our bug mailinglist, but we prefer to track bugs
169 on the bugtracker.
170 {% endtrans %}
171 </p>
172 </div>
173 <div class="col-lg-6">
174 <h3>{{ _("Maintainer and Cryptographic signatures") }}</h3>
175 <p>
176 {% trans %}
177 libgnurl is maintained by Nils Gillmann.
178 Releases are signed
179 with the OpenPG Key <b>A88C8ADD129828D7EAC02E52E22F9BBFEE348588</b>,
180 with the key fingerprint <b>A88C 8ADD 1298 28D7 EAC0 2E52 E22F 9BBF EE34 8588</b>.
181 {% endtrans %}
182 </p>
183 </div>
184 </div>
187</div> <!-- /container -->
188{% endblock body_content %}