On Mon, 2017-04-10 at 15:31 +0200, Kamil Dudka wrote: > Anyway, I guess we should move this discussion to some curl- or nss-related > channel...
The question remains, if it makes sense to switch back to openssl, if the consequence is a loss in completeness of certificate trust checking. In my opinion, a little bit of space saving shouldn't be a sufficient argument for removing existing security functionality. In the future, we should work on improving the certificate validation in a way that can benefit all of our crypto libraries. This will certainly require additional code, too. There were some thoughts to potentially reuse the functionality that Firefox has implemented at the application level, because currently there don't seem other implementations in sight. That code is based on top of NSS code. If that gets done, and if you want SSL/TLS connectivity inside the base image to be as secure as in the rest of Fedora, you might have to eventually add NSS back to it. Kai _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
