Bug 248730 - Review Request: nss_compat_ossl - OpenSSL to NSS porting library
Review Request: nss_compat_ossl - OpenSSL to NSS porting library
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-18 09:54 EDT by Rob Crittenden
Modified: 2007-11-30 17:12 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-24 14:06:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
tmraz: fedora‑review+
wtogami: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Rob Crittenden 2007-07-18 09:54:44 EDT
Spec URL: http://directory.fedoraproject.org/sources/nss_compat_ossl.spec
SRPM URL: http://directory.fedoraproject.org/sources/nss_compat_ossl-0.9.1-1.src.rpm
Description:

nss_compat_ossl is a source-level porting library to help port a program from using OpenSSL for SSL touse the Network Security System (NSS) libraries instead with minimal changes. It provides a limited OpenSSL-compatible API.
Comment 1 Bill Nottingham 2007-07-18 14:54:29 EDT
Tangential question - is it clearly defined what limited portion of the OpenSSL
API it supports, to easily tell if it will or will not work with a particular
client?

Or is it just 'if it builds with it, it works'?
Comment 2 Rob Crittenden 2007-07-18 15:03:48 EDT
A very good question. The biggest problems are CRL management and certificate
validation. 

NSS handles CRLs automatically if they are installed into the security database
being used.

And it does certificate validation a bit differently. I do have some limited
support for using a verify_client callback but it is not quite complete.

A broad overview of what it can do are:

    * Creating an SSL server listener and accepting requests
    * Creating an SSL client socket and making requests
    * Ciphers that should be compatible with OpenSSL
    * Client certificate authentication
    * Random numbers
    * Token password prompting/handlng

nss_compat_ossl.h has the complete list of the API but that can be a bit
misleading because some of the functions are no-ops.

It doesn't offer:

- Low-level crypto (DES,etc)
- BIO (a very small portion of that is provided)
Comment 3 Tomas Mraz 2007-07-20 05:18:29 EDT
rpmlint -v nss_compat_ossl-0.9.1-1.src.rpm 
I: nss_compat_ossl checking
W: nss_compat_ossl no-url-tag
- as I suppose that upstream HTML pages (trac/wiki) is not yet created, please
add URL: tag into spec file as soon as they are.

rpmlint -v nss_compat_ossl-0.9.1-1.fc8.x86_64.rpm
I: nss_compat_ossl checking
W: nss_compat_ossl no-url-tag

rpmlint -v nss_compat_ossl-devel-0.9.1-1.fc8.x86_64.rpm
I: nss_compat_ossl-devel checking
W: nss_compat_ossl-devel no-documentation
- this is OK for now, as the docs (LICENSE, README) are in the base package,
later developer docs and user docs should be split and developer docs should be
installed into -devel subpackage
W: nss_compat_ossl-devel no-url-tag

rpmlint -v nss_compat_ossl-debuginfo-0.9.1-1.fc8.x86_64.rpm
I: nss_compat_ossl-debuginfo checking
W: nss_compat_ossl-debuginfo no-url-tag

/usr/lib64/libnss_compat_ossl.la is included in the -devel subpackage, please
remove it.

As you're upstream maintainer - perhaps the COPYING file with GPL should be
removed as the package is LGPL licensed (in LICENSE file) to prevent confusion?

The file http://directory.fedoraproject.org/sources/nss_compat_ossl-0.9.1.tar.gz
is missing on the server.

The -devel subpackage probably should require the main package of exactly the
same nvr and not >=?
Comment 4 Rob Crittenden 2007-07-20 09:39:24 EDT
Yes, the URL will be added once we get a hom.

All other issues addressed. New files uploaded:

Spec URL: http://directory.fedoraproject.org/sources/nss_compat_ossl.spec
SRPM URL: http://directory.fedoraproject.org/sources/nss_compat_ossl-0.9.1-2.src.rpm
Comment 5 Tomas Mraz 2007-07-20 11:38:57 EDT
I forgot this one - the -devel file list is missing the %defattr(-,root,root,-)
declaration.
Comment 7 Tomas Mraz 2007-07-20 17:29:42 EDT
Now everything seems to be OK.

rpmlint -v nss_compat_ossl-0.9.1-3.src.rpm 
I: nss_compat_ossl checking
W: nss_compat_ossl no-url-tag

rpmlint -v nss_compat_ossl-0.9.1-3.fc8.x86_64.rpm
I: nss_compat_ossl checking
W: nss_compat_ossl no-url-tag

rpmlint -v nss_compat_ossl-devel-0.9.1-3.fc8.x86_64.rpm
I: nss_compat_ossl-devel checking
W: nss_compat_ossl-devel no-documentation
W: nss_compat_ossl-devel no-url-tag

rpmlint -v nss_compat_ossl-debuginfo-0.9.1-3.fc8.x86_64.rpm
I: nss_compat_ossl-debuginfo checking
W: nss_compat_ossl-debuginfo no-url-tag

- the rpmlint output is the same as above so the same comments apply

APPROVED
Comment 8 Rob Crittenden 2007-07-20 17:56:32 EDT
New Package CVS Request
=======================
Package Name: nss_compat_ossl
Short Description: OpenSSL to NSS porting library
Owners: rcritten@redhat.com, rrelyea@redhat.com
Branches: FC-6 F-7
InitialCC: 
Comment 9 Rob Crittenden 2007-07-24 14:06:08 EDT
I've only built this on rawhide right now but we have the FC-6 and F-7 branches
available if desired.

Note You need to log in before you can comment on or make changes to this bug.