Should we settle on one SSL implementation?
Bastien Nocera
bnocera at redhat.com
Tue Oct 23 15:05:05 UTC 2007
On Tue, 2007-10-23 at 16:42 +0200, Tomas Mraz wrote:
> On Tue, 2007-10-23 at 15:38 +0100, Daniel P. Berrange wrote:
> > On Tue, Oct 23, 2007 at 02:13:18PM +0000, seth vidal wrote:
> > >
> > > On Tue, 2007-10-23 at 09:11 -0500, Rex Dieter wrote:
> > > > John Dennis wrote:
> > > >
> > > > > So why did Peter Vrabec open bugs against a slew of packages a few hours
> > > > > ago all with the summary:
> > > > >
> > > > > "Port XXX to use NSS library for cryptography"
> > > > >
> > > > > I haven't seen a consensus this how package maintainers should be
> > > > > spending their time.
> > > >
> > > > I'm assuming those bugs are mostly for tracking purposes.
> > > >
> > >
> > > and a lot of them are wrong.
> >
> > Yep, this is just creating yet bug triage work for maintainers. When entering
> > tickets one could at least check the app in question to see if it actually
> > uses the crypto libraries we're being told to remove. Not useful.
> Not only crypto libraries but built-in code as well. I have checked that
> the packages actually contain the code. I hardly could in reasonable
> time check whether the code is always used and so on. I'd expect some
> help from maintainers in these corner cases.
The problem I have with the bugs is the description. Most of my packages
don't use "security" or encryption libraries. But they will have md5 or
sha1 implementations. Do we really expect libraries with barely any
dependencies to drag in NSS to do md5 or sha1?
Why doesn't the bug mention that it's a sha1 or md5 being used that
would need porting rather than mentioning "security" libraries?
glib will soon get SHA1/MD5 as well[1], which is useful when this
functionality is used in GTK+/GNOME applications. Will glib have to
depend on NSS?
[1]: http://bugzilla.gnome.org/show_bug.cgi?id=443648
More information about the fedora-devel-list
mailing list