Re: F26 System Wide Change: OpenSSL 1.1.0

Wed, 28 Sep 2016 10:36:27 -0700 

> 1. NSS
>  2. GNUTLS (with nettle as crypto backend, but nettle never used
>           directly by applications)
>  3. OpenSSL
>  4. libgcrypt
>
> and it might be reasonable to keep this as a "if possible, please prefer"
policy rather than a mandate.

Seems preferring gnutls over openssl is creating problems which I've
described. Really until more packages (kind of critical mass) will have
possibility to switch to other TLS/crypto libraries better IMO would be
stick with openssl. In  mean time for example possibility switching to
other one IMO should be kept as %bcond,
Is it any reason why openssl is below gnutls. I know that openssl has bad
reputation but exactly this reputation caused that in last 2-3 years more
eyes have been looking on openssl than gnutls and IMO only by this using
gnutls is more risky.

On the web page with list of packages moved to use nss is curl.
I found that dist package binaries are using now nss and openssl.
Quick test with add in %configure parameters in curl.spec modification
like:

-%configure --disable-static \
+%configure \
+    LDFLAGS="-Wl,--as-needed" \
+    --disable-static \
     --enable-symbol-hiding \

solves problem. With above and without ldd output is the same but on elf
NEEDED list is much less libraries:

[tkloczko@domek .libs]$ objdump -x /usr/bin/curl | grep NEEDED
  NEEDED               libcurl.so.4
  NEEDED               libmetalink.so.3
  NEEDED               libssl3.so
  NEEDED               libsmime3.so
  NEEDED               libnss3.so
  NEEDED               libnssutil3.so
  NEEDED               libplds4.so
  NEEDED               libplc4.so
  NEEDED               libnspr4.so
  NEEDED               libpthread.so.0
  NEEDED               libdl.so.2
  NEEDED               libz.so.1
  NEEDED               libc.so.6
[tkloczko@domek .libs]$ objdump -x curl | grep NEEDED
  NEEDED               libcurl.so.4
  NEEDED               libmetalink.so.3
  NEEDED               libnss3.so
  NEEDED               libplds4.so
  NEEDED               libnspr4.so
  NEEDED               libpthread.so.0
  NEEDED               libz.so.1
  NEEDED               libc.so.6

Result is that in case of any changes around openssl curl will be not
affected (does not need to be rebuild).
-Wl,--as-needed removes from rpm dependencies few other packages.

Anyone may have something against pushing to git change with above?

kloczek
-- 
Tomasz Kłoczko | LinkedIn: *http://lnkd.in/FXPWxH <http://lnkd.in/FXPWxH>*

_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Reply via email to