Last week’s announced GnuTLS bug is a serious one, but do you know the ramifications? Many articles painted Linux with a broad brush, claiming Red Hat, Debian, etc were deeply impacted. While it is true that the GnuTLS library is included in all distros (including CentOS and other RHEL flavors), it may not be widely used.

GnuTLS is licensed under LGPL. The alternative OpenSSL library is licensed under a combined BSD(SSLeay) and Apache 1.0 license. Some distros (notably Debian-based) don’t appear to like the licensing complexity that OpenSSL brings, so GnuTLS may be preferred. But many RHEL packages do not seem to be as fearful.

The following command will show all packages that are dependent on GnuTLS. (Which is not to be confused with “yum deplist” for dependencies.)

repoquery --whatrequires --installed --recursive gnutls

For CentOS and others of similar ilk, it is likely that you’ll find that OpenSSL has more dependents than GnuTLS.

PS: a gnutls patch has already been released, so get a jump and install it. Much is made about the need for dependent apps to regression-test, but don’t wait. If all the patch did was correctly fix the goto logic that left a truck-sized hole, I hardly think the fix could be any worse.