Bug 333741 (CryptoConsolidation)

Summary: Fedora CryptoConsolidation tracking bug
Product: [Fedora] Fedora Reporter: Tomas Mraz <tmraz>
Component: distributionAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: collura, emaldona, herrold, matt, maurizio.antillon, nmavrogi, pfrields, pvrabec, redhat-bugzilla, redhat, rrelyea, sgrubb, tuju
Target Milestone: ---Keywords: FutureFeature, Tracking
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-05 10:54:53 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 346521, 346531, 346541, 346551, 346561, 346571, 346581, 346591, 346601, 346611, 346621, 346631, 346641, 346651, 346661, 346671, 346681, 346691, 346701, 346711, 346721, 346731, 346741, 346751, 346761, 346771, 346781, 346791, 346801, 346811, 346821, 346831, 346841, 346851, 346861, 346871, 346881, 346891, 346901, 346911, 346921, 346931, 346941, 346951, 346961, 346971, 346981, 346991, 347001, 347011, 347021, 347031, 347041, 347051, 347061, 347071, 347081, 347091, 347101, 347111, 347121, 347131, 347141, 347151, 347171, 347181, 347191, 347201, 347211, 347221, 347231, 347241, 347251, 347261, 347271, 347281, 347291, 347301, 347311, 347321, 347331, 347341, 347351, 347361, 347371, 347381, 347391, 347401, 347411, 347421, 347431, 347441, 347451, 347461, 347471, 347481, 347491, 347501, 347511, 347521, 347531, 347541, 347551, 347561, 347571, 347581, 347591, 347601, 347611, 347621, 347631, 347641, 347651, 347661, 347671, 347681, 347691, 347701, 347711, 347721, 347731, 347741, 347751, 347761, 347771, 347781, 347791, 347801, 347811, 347821, 347831, 347841, 347851, 347861, 347871, 347881, 347891, 347901, 347911, 347921, 347931, 347941, 347951, 347961, 347971, 347981, 347991, 348001, 348011, 348021, 348031, 348041, 348051, 348061, 348071, 348081, 348091, 348101, 348111, 348121, 348131, 348141, 348151, 348161, 348171, 348181, 348191, 348201, 348211, 348221, 348231, 348241, 348251, 348261, 348271, 348281, 348291, 348301, 348311, 348321, 348331, 348341, 348351, 348361, 348371, 348381, 348391, 348401, 348411, 348421, 348431, 348441, 348451, 348461, 348471, 348481, 348491, 348501, 348511, 348521, 348531, 348541, 348551, 348561, 348571, 468664, 497056, 501138    
Bug Blocks: 459600    

Description Tomas Mraz 2007-10-16 05:06:35 EDT
The applications, utilities and libraries using cryptography in Fedora
distribution should be converted to use only one cryptography library. The NSS
library was chosen for various reasons.

The reasons for such conversion are outlined on this wiki page:
http://fedoraproject.org/wiki/FedoraCryptoConsolidation

More details can be found here:
http://fedoraproject.org/wiki/CryptoConsolidationEval

The (not exhaustive) list of packages using or containing cryptography
algorithms is here:
http://fedoraproject.org/wiki/CryptoConsolidationScorecard

Here you can find instructions on converting applications using SSL from OpenSSL
to NSS:
http://fedoraproject.org/wiki/nss_compat_ossl
Comment 1 Kevin Kofler 2007-10-23 06:58:13 EDT
Your list is missing at least the following OpenSSL users (at least in the qt4 
case, it's dlopened): qt4, qca-tls, qca2.
Comment 2 Kevin Kofler 2007-10-23 07:05:42 EDT
IMHO, nss_compat_ossl needs work to be really usable, right now it's not 
anywhere near a drop-in replacement, it needs several changes repeated in 
dozens of packages. It also means losing functionality (from the 
wiki: "nss_compat_ossl doesn't support SSL compression").
Comment 3 Kevin Kofler 2007-10-23 07:37:16 EDT
Do you think it would be possible to script some of the changes, like the 
qt3to4 script which converts Qt 3 code to Qt 4's libQt3Support?

Also, if you're going after all the apps containing MD5 code, you're missing a 
lot of them. Just look at the apps which had to be fixed not to include an 
inappropriately-licensed implementation, and those are hopefully not the 
majority. ;-) As far as I know, qt, qt4 and strigi all contain custom MD5 
routines, and that's only those I happen to know about.
Comment 4 Tomas Mraz 2007-10-23 07:42:32 EDT
The list is a little bit outdated as it was produced more than half a year ago
and only from the Fedora Core packages before merge. The thing is most of the
blocking bugs are very low priority but we want to eventually (in a few years)
fix all packages.

Also Kevin, can you please fill a separate bug report against nss or
nss_compat_ossl and mention there all critical missing things which block porting?
Comment 5 Daniel Veillard 2007-10-23 07:44:57 EDT
Either you develop a full drop in repacement like we did for FAM with
gamin, meaning that no source change is need for upstream, or you need
to convince upstream to adopt your new library. I don't see an intermediate
approach where the packager is responsible for major code change to
be a maintainable solution.
Any change to upstream code, be it configure or header or worse code
means in practice a fork. I don't want to fork the packages I maintain.
Either you have a complete drop in replacement which might be doable, but then
you need the balls and workforce to actually *remove* openssl from the distro
and put the replacement in, or you work with the gazillion project out there
and suggest they add support for your new library.
Sorry I'm sorry this can't fly in the current form for me

Daniel
Comment 6 Tomas Mraz 2007-10-23 08:00:26 EDT
For packages which do only SSL the nss_compat_ossl should be the drop-in
replacement. Although there is some work yet to be done so there are really no
source code changes needed.

For applications which use other parts (low level) of OpenSSL the drop-in
replacement is mostly not possible, because the OpenSSL API has several
limitations making it for example not possible to certify it with FIPS-140-2
Level 2.

The bugs filled are basically requests for maintainers to help with the porting
effort and especially help with advocating the change upstream. We of course
understand that maintaining a fork in Fedora only is not feasible.
Comment 7 Steven Dake 2007-10-23 08:07:51 EDT
It is totally inappropriate to expect a fedora package maintainer to fork an
upstream software package to include some unknown crypto software package. 
Upstream makes choices about which crypto software they intend to use and Fedora
does NOT dictate which crypto packages should be used in upstream packages.

If you are coming to me as maintainer of a project attempting to get me to
change a known working crypto solution for some unknown crypto solution, perhaps
fedora bugzilla is the wrong place for this.  You should involve yourself on the
 community mailing list for that package.

For the openais package, you can send your proposal to
openais@lists.osdl.org

I can say with 100% certainty this is _never_ going to happen for openais.  It
would break protocol compatability and introduce unwanted dependencies.  openais
doesn't use a library for a reason - perhaps you should query the list on the
topic for that motivation.

Regards
-steve
Comment 8 Tom Lane 2007-10-23 10:13:55 EDT
I am more than slightly tempted to close all my bugs WONTFIX.

When you have something that is a genuine 100% drop-in, wire-protocol-compatible replacement for 
OpenSSL, I might be persuaded to make a one-line change in my specfiles to use that.  Expecting package 
maintainers to deal with a sort-of-compatible replacement is not reasonable.
Comment 9 Bob Relyea 2007-10-23 14:07:54 EDT
Please file difficiencies that you run into with nsscompatossl against that
package. 

directly drop-in isn't possible, some issues are solved by commenting out code
in your application that is already completely handled by NSS (and typically
duplicated by every openSSL application out there).

There are certainly many areas where nsscompatossl can be better (and
potentially help other packagers that run into the same issue. Filing bugs will
help us make it better). You can block your bug on the nsscompatossl bug.

I'll create a bug for getting a new gnutls package, which gnutls apps can depend on.

bob

bob
Comment 10 Jon Stanley 2008-03-27 21:46:17 EDT
Adding Tracking keyword
Comment 11 John Poelstra 2008-07-03 19:40:07 EDT
triaged
Comment 12 Elio Maldonado Batiz 2008-08-27 17:06:23 EDT
Another friendly way to track progress is
https://bugzilla.redhat.com/buglist.cgi?quicksearch=NSS+library+for+cryptography
Very few of the bugs have been assigned.
Comment 13 Matt McCutchen 2010-03-23 00:31:25 EDT
No one seems to have worked on any UI consolidation so far.  I think that is an important part of the project and would suggest Mozilla PSM, as I wrote on the wiki page.
Comment 14 Nikos Mavrogiannopoulos 2017-01-05 10:54:53 EST
This effort is no longer going on. Packagers are encouraged to use the libraries that are preferred from upstream.