Re: security/gnutls: link against libunbound for DANE support (patch)

[ng0 <ng0%n0.is@localhost>]

ng0 transcribed 1.1K bytes:
> Greg Troxel transcribed 911 bytes:
> > ng0 <ng0%n0.is@localhost> writes:
> > 
> > > In a set of software I work on, we highly prefer GnuTLS built
> > > against libunbound to get DANE functionality. Right now this
> > > pulls in at least unbound (and flex via unbound).
> > > There are plans to eventually not depend on unbound for this
> > > in GnuTLS itself.
> > >
> > > Would we as pkgsrc prefer for this to be opt-in or opt-out?
> > > My patch is opt-in but adds a keyword.
> > 
> > Particularly today (almost freeze), I think it should be opt-in (meaning
> > the option adds it, and the option is not in SUGGESTED, which is what I
> > think you mean).
> > 
> > Whether it's in some broad best interest averaged over everybody is a
> > non-obvious question, and generally I like things like this to land as
> > opt-in first, to allow lower-barrier experience to accumulate a bit.
> 
> Okay, understood.
>  
> > I'm definitely sympathetic to DANE working, even in a Let's Encrypt
> > world.  And trying gnunet  has been on my todo list for a really long
> > time.
> 
> Good to read.
> 
> 
> Is the latest patch good to go as it is? I'd like to commit this
> soon.

If 'unbound' is no keyword, I'd use 'dane' because it describes
better what it does. On the other hand unbound is descriptive
because it links against unbound. It might be a little bit
vague because of the other meaning of unbound.
That's the only criticism I see in this.

I am working on fixing the testsuite for GnuTLS, this broke
before the revbump.