> 1. NSS
> 2. GNUTLS (with nettle as crypto backend, but nettle never used
> directly by applications)
> 3. OpenSSL
> 4. libgcrypt
>
> and it might be reasonable to keep this as a "if possible, please prefer" policy rather than a mandate.
Seems preferring gnutls over openssl is creating problems which I've described. Really until more packages (kind of critical mass) will have possibility to switch to other TLS/crypto libraries better IMO would be stick with openssl. In mean time for example possibility switching to other one IMO should be kept as %bcond,
Is it any reason why openssl is below gnutls. I know that openssl has bad reputation but exactly this reputation caused that in last 2-3 years more eyes have been looking on openssl than gnutls and IMO only by this using gnutls is more risky.
On the web page with list of packages moved to use nss is curl.
I found that dist package binaries are using now nss and openssl.
Quick test with add in %configure parameters in curl.spec modification like:
-%configure --disable-static \
+%configure \
+ LDFLAGS="-Wl,--as-needed" \
+ --disable-static \
--enable-symbol-hiding \
solves problem. With above and without ldd output is the same but on elf NEEDED list is much less libraries:
[tkloczko@domek .libs]$ objdump -x /usr/bin/curl | grep NEEDED
NEEDED libcurl.so.4
NEEDED libmetalink.so.3
NEEDED libssl3.so
NEEDED libsmime3.so
NEEDED libnss3.so
NEEDED libnssutil3.so
NEEDED libplds4.so
NEEDED libplc4.so
NEEDED libnspr4.so
NEEDED libpthread.so.0
NEEDED libdl.so.2
NEEDED libz.so.1
NEEDED libc.so.6
[tkloczko@domek .libs]$ objdump -x curl | grep NEEDED
NEEDED libcurl.so.4
NEEDED libmetalink.so.3
NEEDED libnss3.so
NEEDED libplds4.so
NEEDED libnspr4.so
NEEDED libpthread.so.0
NEEDED libz.so.1
NEEDED libc.so.6
Result is that in case of any changes around openssl curl will be not affected (does not need to be rebuild).
-Wl,--as-needed removes from rpm dependencies few other packages.
Anyone may have something against pushing to git change with above?
kloczek