On 28.9.2016 16:13, Tomasz Kłoczko wrote:
BTW openssl changes.
Is it any official Fedora policy/call to move away from openssl?
I'm asking because I've noticed that some packages seems have been
switched from openssl to gnutls.
Examples of those packages is wget:
* Tue Jul 26 2016 Tomas Hozza <thozza(a)redhat.com
<mailto:thozza@redhat.com>> - 1.18-2
- Switched openssl to gnutls for crypto
Another package example which is is linked with gntls instead with
openssl is lftp.
A the moment in Fedora is possible to use three types of SSL/crypto
libraries: gnutls, openssl and nss.
Short test on my system:
$ for i in nss gnutls openssl-libs; do echo -n "$i "; rpm -e $i 2>&1 |
awk '{print $6}' | grep -v ^$i | sort | uniq | wc -l; done
nss 57
gnutls 33
openssl-libs 110
I do not think we are going to drop any of these three tls/crypto
libraries from Fedora (and RHEL) in foreseeable future. So there is no
point in forcibly switching applications to particular one.
My personal recommendation would be to follow the application's upstream
recommendation.
What we should strive for is to limit the use of crypto to one of these
three libraries and avoid any additional ones with exception of
libgcrypt for gnupg2.
Tomas Mraz