1. NSS
2. GNUTLS (with nettle as crypto backend, but nettle never used
directly by applications)
3. OpenSSL
4. libgcrypt
and it might be reasonable to keep this as a "if possible, please prefer"
policy rather than a mandate.
Seems preferring gnutls over openssl is creating problems which I've
described. Really until more packages (kind of critical mass) will have
possibility to switch to other TLS/crypto libraries better IMO would be
stick with openssl. In mean time for example possibility switching to
other one IMO should be kept as %bcond,
Is it any reason why openssl is below gnutls. I know that openssl has bad
reputation but exactly this reputation caused that in last 2-3 years more
eyes have been looking on openssl than gnutls and IMO only by this using
gnutls is more risky.
On the web page with list of packages moved to use nss is curl.
I found that dist package binaries are using now nss and openssl.
Quick test with add in %configure parameters in curl.spec modification
like:
-%configure --disable-static \
+%configure \
+ LDFLAGS="-Wl,--as-needed" \
+ --disable-static \
--enable-symbol-hiding \
solves problem. With above and without ldd output is the same but on elf
NEEDED list is much less libraries:
[tkloczko@domek .libs]$ objdump -x /usr/bin/curl | grep NEEDED
NEEDED libcurl.so.4
NEEDED libmetalink.so.3
NEEDED libssl3.so
NEEDED libsmime3.so
NEEDED libnss3.so
NEEDED libnssutil3.so
NEEDED libplds4.so
NEEDED libplc4.so
NEEDED libnspr4.so
NEEDED libpthread.so.0
NEEDED libdl.so.2
NEEDED libz.so.1
NEEDED libc.so.6
[tkloczko@domek .libs]$ objdump -x curl | grep NEEDED
NEEDED libcurl.so.4
NEEDED libmetalink.so.3
NEEDED libnss3.so
NEEDED libplds4.so
NEEDED libnspr4.so
NEEDED libpthread.so.0
NEEDED libz.so.1
NEEDED libc.so.6
Result is that in case of any changes around openssl curl will be not
affected (does not need to be rebuild).
-Wl,--as-needed removes from rpm dependencies few other packages.
Anyone may have something against pushing to git change with above?
kloczek
--
Tomasz Kłoczko | LinkedIn: *http://lnkd.in/FXPWxH <
http://lnkd.in/FXPWxH>*