Andrew Haley wrote: >>>> 3) Volume of supported commonly used software - if NSS has a clear >>>> advantage in terms of support base, then so be it, let's all put our >>>> weight behind it. But my perception is that this is not the case. >>>> Everything I touch upon on a daily basis seems to be linked against >>>> OpenSSL rather than NSS. >>> Well, that's not true for everyone, and certainly not for users of >>> GPG. >> I thought it was mentioned on this thread recently that GPG brings it's >> own implementation anyway. Did I misunderstand? > > It does, but I was responding to the claim that OpenSSL was being used > for everything you touch on a daily basis. If that was not what you > implied, I apologize. Well, you could just infer that I don't use GPG on a daily basis. :) > But if most crypto apps are using home-baked > library code, then it doesn't matter which crypto library we move to > because most apps will need to be ported anyway. As far as I can tell, GPG is rather an exception. Most things don't bother re-inventing the wheel. >>> But the real question is whether one group of Fedora developers is >>> determinedly going to push NSS and the other OpenSSL. That is not a >>> route to happiness. >> It's not, but losing crypto offload and/or a performance drop-off and >> bloat due to shimming isn't a happy solution, either. > > It's a sight more happy than two groups of Fedora developers fighting > over the One True Crypto Library. IMO. :-) I don't really see either as an option. So the key point seems to be getting NSS working with the kernel's crypto offload features (whether it's cryptodev or netlink is irrelevant, as long as it works). >> But purely in terms of standardizing on a single crypto library - >> has anyone actually performed an exhaustive analysis on how much >> would need to be changed to go either way? The wiki page that has >> been referenced a few times seems distinctly non-exhaustive. Maybe >> my perception is non-representative here, but as I said, all the >> things I get my hands dirty on a regular basis are linked against >> OpenSSL rather than NSS. The pragmatist in me says that maybe that >> makes OpenSSL a better target to standardize on, but I would like to >> see an exhaustive analysis / empirical evidence showing otherwise. > > I think it's a mistake to characterize one set of developers as more > pragmatic than the other. If we end up with a highly-performant > crypto library that some Fedora packages can't be linked against for > legal reasons, that would be -- pragmatically speaking -- a Very Bad > Thing. I agree. My concern is that this is looking like glibc vs. some-other-libc argument all over again, and years later that is still not resolved (all that come out of that, AFAICT is that dietlibc now ships as standard); and some things still don't work properly built against glibc (e.g. util-vserver). I can easily see all this remaining unresolved come Fedora 25 in 5 years' time. Unless we start outright banning things that don't conform, that is - and you wouldn't end up with a usable distro if you outright excluded OpenSSL dependants. Gordan _______________________________________________ arm mailing list arm@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/arm
