Re: F26 System Wide Change: OpenSSL 1.1.0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> 1. NSS
>  2. GNUTLS (with nettle as crypto backend, but nettle never used
>           directly by applications)
>  3. OpenSSL
>  4. libgcrypt

> and it might be reasonable to keep this as a "if possible, please prefer" policy rather than a mandate.

Seems preferring gnutls over openssl is creating problems which I've described. Really until more packages (kind of critical mass) will have possibility to switch to other TLS/crypto libraries better IMO would be stick with openssl. In  mean time for example possibility switching to other one IMO should be kept as %bcond,
Is it any reason why openssl is below gnutls. I know that openssl has bad reputation but exactly this reputation caused that in last 2-3 years more eyes have been looking on openssl than gnutls and IMO only by this using gnutls is more risky.

On the web page with list of packages moved to use nss is curl.
I found that dist package binaries are using now nss and openssl.
Quick test with add in %configure parameters in curl.spec modification like: 

-%configure --disable-static \
+%configure \
+    LDFLAGS="-Wl,--as-needed" \
+    --disable-static \
     --enable-symbol-hiding \

solves problem. With above and without ldd output is the same but on elf NEEDED list is much less libraries:

[tkloczko@domek .libs]$ objdump -x /usr/bin/curl | grep NEEDED
  NEEDED               libcurl.so.4
  NEEDED               libmetalink.so.3
  NEEDED               libssl3.so
  NEEDED               libsmime3.so
  NEEDED               libnss3.so
  NEEDED               libnssutil3.so
  NEEDED               libplds4.so
  NEEDED               libplc4.so
  NEEDED               libnspr4.so
  NEEDED               libpthread.so.0
  NEEDED               libdl.so.2
  NEEDED               libz.so.1
  NEEDED               libc.so.6
[tkloczko@domek .libs]$ objdump -x curl | grep NEEDED
  NEEDED               libcurl.so.4
  NEEDED               libmetalink.so.3
  NEEDED               libnss3.so
  NEEDED               libplds4.so
  NEEDED               libnspr4.so
  NEEDED               libpthread.so.0
  NEEDED               libz.so.1
  NEEDED               libc.so.6

Result is that in case of any changes around openssl curl will be not affected (does not need to be rebuild).
-Wl,--as-needed removes from rpm dependencies few other packages.

Anyone may have something against pushing to git change with above?

kloczek
-- 
Tomasz Kłoczko | LinkedIn: http://lnkd.in/FXPWxH
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux