Andrew Haley wrote:
>>> 3) Volume of supported commonly used software - if NSS
has a clear
>>> advantage in terms of support base, then so be it, let's all put our
>>> weight behind it. But my perception is that this is not the case.
>>> Everything I touch upon on a daily basis seems to be linked against
>>> OpenSSL rather than NSS.
>> Well, that's not true for everyone, and certainly not for users of
> I thought it was mentioned on this thread recently that GPG brings it's
> own implementation anyway. Did I misunderstand?
It does, but I was responding to the claim that OpenSSL was being used
for everything you touch on a daily basis. If that was not what you
implied, I apologize.
Well, you could just infer that I don't use GPG on a daily basis. :)
But if most crypto apps are using home-baked
library code, then it doesn't matter which crypto library we move to
because most apps will need to be ported anyway.
As far as I can tell, GPG is rather an exception. Most things don't
bother re-inventing the wheel.
>> But the real question is whether one group of Fedora
>> determinedly going to push NSS and the other OpenSSL. That is not a
>> route to happiness.
> It's not, but losing crypto offload and/or a performance drop-off and
> bloat due to shimming isn't a happy solution, either.
It's a sight more happy than two groups of Fedora developers fighting
over the One True Crypto Library. IMO. :-)
I don't really see either as an option. So the key point seems to be
getting NSS working with the kernel's crypto offload features (whether
it's cryptodev or netlink is irrelevant, as long as it works).
> But purely in terms of standardizing on a single crypto library
> has anyone actually performed an exhaustive analysis on how much
> would need to be changed to go either way? The wiki page that has
> been referenced a few times seems distinctly non-exhaustive. Maybe
> my perception is non-representative here, but as I said, all the
> things I get my hands dirty on a regular basis are linked against
> OpenSSL rather than NSS. The pragmatist in me says that maybe that
> makes OpenSSL a better target to standardize on, but I would like to
> see an exhaustive analysis / empirical evidence showing otherwise.
I think it's a mistake to characterize one set of developers as more
pragmatic than the other. If we end up with a highly-performant
crypto library that some Fedora packages can't be linked against for
legal reasons, that would be -- pragmatically speaking -- a Very Bad
I agree. My concern is that this is looking like glibc vs.
some-other-libc argument all over again, and years later that is still
not resolved (all that come out of that, AFAICT is that dietlibc now
ships as standard); and some things still don't work properly built
against glibc (e.g. util-vserver). I can easily see all this remaining
unresolved come Fedora 25 in 5 years' time. Unless we start outright
banning things that don't conform, that is - and you wouldn't end up
with a usable distro if you outright excluded OpenSSL dependants.