libgnutls-openssl and real openssl conflict

Steve Grubb sgrubb at redhat.com
Sat Aug 30 15:10:26 UTC 2008 

On Friday 29 August 2008 02:50:20 Daniel P. Berrange wrote:
> The NSS port would be much more compelling if people talked more about
> the benefits of the work to Fedora users.

https://www.redhat.com/archives/fedora-devel-list/2007-August/msg01594.html


> > Is there a concerted effort or SIG around this in Fedora?  I've been
> > seeing a lot of the associated bugs attached to this tracker
> > https://bugzilla.redhat.com/showdependencytree.cgi?id=333741&hide_resolve
> >d=1 as I triage NEW rawhide bugs.
>
> That bug list doesn't demonstrate much success in the 'port everything
> to NSS' plan.

True. There's 3 - 4 people with other responsibilities working on it as we 
can. Doing an actual FIPS-140 validation of RHEL is eating our time at the 
minute, but we'll get back into this eventually.


> A handful fixed, 140 bugs being more or less ignored, and 
> another 50 marked CLOSED -> WONTFIX/NOTABUG. And that's not even counting
> the packages that are missing from that list - for example I see that
> libvirt, qemu, kvm, xen, and gtk-vnc are absent from that list, yet all
> are using either OpenSSL, or GNU TLS or both.

We created the list about 1.5 years ago. We haven't had the chance to re-run 
it and file more tracker bugs. 


> That aside though, Fedora package maintainers shouldn't be in the business
> of re-writing large chunks of crypto code in applications, unless they
> themselves are the upstream maintainer of said crypto code too.

These are tracker bugs. If no one wants to help that is fine. It would be 
nice, but not required.


> Even then such work should be done upstream for sake of peer review,

Of course. We still need to track and coordinate the work.


> and not in patches to Fedora RPMs. When you have distro code diverging from
> upstream in any area, the package maintainability will often suffer. In the
> area of crypto though, it is just plain dangerous and very bad things can &
> will happen, even from trivial 1-liner patches as Debian recently found out
> with the unfortunate RNG bugs.

Sure. No one said that we are patching Fedora to be different. That is your 
invalid assumption.


> Fedora's role in this should be one of 'co-ordinator' - generating reports
> to track progress; 

We are - look at the tracker bug.


> identifying high priority apps to be ported; 

https://fedoraproject.org/wiki/CryptoConsolidationScorecard


> advising  

https://fedoraproject.org/wiki/CryptoConsolidationEval


> and communicating with upstream and testing any work they produce 

We are understaffed to knock it all out quickly. We are tackling a piece at a 
time with very little help. The people that work on nss say they are getting 
more traffic asking about using nss, so we are starting to get some upstream 
attention.


> - all  the things Fedora excels at. Filing bugs telling Fedora package
> maintainers to do the development work to port apps is the wrong way to
> address this. 

We have to have a tracker bug. The filing of a bug does not necessarily mean 
that you are hereby commanded to do something. Closing the bugs as "won't 
fix" doesn't really help as we have to go through all those and re-open them 
at some point.

-Steve

More information about the fedora-devel-list mailing list