On 04/06/2017 12:15 PM, Matthew Miller wrote: > On Thu, Apr 06, 2017 at 05:50:16PM +0200, Miroslav Lichvar wrote: >>> In order to make even smaller Fedora base images, it was proposed to switch >>> libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which >>> motivated the switch of libcurl from OpenSSL to NSS ten years ago, is now >>> deprecated and libcurl is the only package that pulls NSS as its dependency >>> into the Fedora base image. Hence, by switching libcurl back to OpenSSL, we >>> could create Fedora base image that contains fewer crypto libraries inside. >> I'm just wondering, does this change anything from the security point >> of view? Has history shown one library to be better than the other, >> for instance in the number of important issues found in the TLS >> implementation? > > I don't think that's necessarily a great predictor of future results. > However, going from two different things to just one will _definitely_ > result in fewer future CVES which impact the base. > > >> Also, wasn't there an issue with the OpenSSL's licensing and GPL? >> If it still is, could it affect any of the packages that are now using >> libcurl? > > There is this: https://www.openssl.org/blog/blog/2017/03/22/license/ > Also this, which is more immediately relevant: https://fedoraproject.org/wiki/Licensing:FAQ#What.27s_the_deal_with_the_OpenSSL_license.3F tl;dr: "However, we consider that the OpenSSL library is a system library, as defined by the GPL, on Fedora and therefore we are allowed to ship GPL software that links to the OpenSSL library."
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
