On Wed, Apr 05, 2017 at 03:52:22PM +0200, Kamil Dudka wrote:
In order to make even smaller Fedora base images, it was proposed to
switch
libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which
motivated the switch of libcurl from OpenSSL to NSS ten years ago, is now
deprecated and libcurl is the only package that pulls NSS as its dependency
into the Fedora base image. Hence, by switching libcurl back to OpenSSL, we
could create Fedora base image that contains fewer crypto libraries inside.
I'm just wondering, does this change anything from the security point
of view? Has history shown one library to be better than the other,
for instance in the number of important issues found in the TLS
implementation?
Also, wasn't there an issue with the OpenSSL's licensing and GPL?
If it still is, could it affect any of the packages that are now using
libcurl?
--
Miroslav Lichvar