On Friday 29 August 2008 02:50:20 Daniel P. Berrange wrote:
The NSS port would be much more compelling if people talked more
the benefits of the work to Fedora users.
> Is there a concerted effort or SIG around this in Fedora?
> seeing a lot of the associated bugs attached to this tracker
>d=1 as I triage NEW rawhide bugs.
That bug list doesn't demonstrate much success in the 'port everything
to NSS' plan.
True. There's 3 - 4 people with other responsibilities working on it as we
can. Doing an actual FIPS-140 validation of RHEL is eating our time at the
minute, but we'll get back into this eventually.
A handful fixed, 140 bugs being more or less ignored, and
another 50 marked CLOSED -> WONTFIX/NOTABUG. And that's not even counting
the packages that are missing from that list - for example I see that
libvirt, qemu, kvm, xen, and gtk-vnc are absent from that list, yet all
are using either OpenSSL, or GNU TLS or both.
We created the list about 1.5 years ago. We haven't had the chance to re-run
it and file more tracker bugs.
That aside though, Fedora package maintainers shouldn't be in the
of re-writing large chunks of crypto code in applications, unless they
themselves are the upstream maintainer of said crypto code too.
These are tracker bugs. If no one wants to help that is fine. It would be
nice, but not required.
Even then such work should be done upstream for sake of peer review,
Of course. We still need to track and coordinate the work.
and not in patches to Fedora RPMs. When you have distro code
upstream in any area, the package maintainability will often suffer. In the
area of crypto though, it is just plain dangerous and very bad things can &
will happen, even from trivial 1-liner patches as Debian recently found out
with the unfortunate RNG bugs.
Sure. No one said that we are patching Fedora to be different. That is your
Fedora's role in this should be one of 'co-ordinator' -
to track progress;
We are - look at the tracker bug.
identifying high priority apps to be ported;
and communicating with upstream and testing any work they produce
We are understaffed to knock it all out quickly. We are tackling a piece at a
time with very little help. The people that work on nss say they are getting
more traffic asking about using nss, so we are starting to get some upstream
- all the things Fedora excels at. Filing bugs telling Fedora
maintainers to do the development work to port apps is the wrong way to
We have to have a tracker bug. The filing of a bug does not necessarily mean
that you are hereby commanded to do something. Closing the bugs as "won't
fix" doesn't really help as we have to go through all those and re-open them
at some point.