Bug 248730 - Review Request: nss_compat_ossl - OpenSSL to NSS porting library
Summary: Review Request: nss_compat_ossl - OpenSSL to NSS porting library
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: Package Review   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-07-18 13:54 UTC by Rob Crittenden
Modified: 2007-11-30 22:12 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-24 18:06:08 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
tmraz: fedora-review+
wtogami: fedora-cvs+


Attachments (Terms of Use)

Description Rob Crittenden 2007-07-18 13:54:44 UTC
Spec URL: http://directory.fedoraproject.org/sources/nss_compat_ossl.spec
SRPM URL: http://directory.fedoraproject.org/sources/nss_compat_ossl-0.9.1-1.src.rpm
Description:

nss_compat_ossl is a source-level porting library to help port a program from using OpenSSL for SSL touse the Network Security System (NSS) libraries instead with minimal changes. It provides a limited OpenSSL-compatible API.

Comment 1 Bill Nottingham 2007-07-18 18:54:29 UTC
Tangential question - is it clearly defined what limited portion of the OpenSSL
API it supports, to easily tell if it will or will not work with a particular
client?

Or is it just 'if it builds with it, it works'?

Comment 2 Rob Crittenden 2007-07-18 19:03:48 UTC
A very good question. The biggest problems are CRL management and certificate
validation. 

NSS handles CRLs automatically if they are installed into the security database
being used.

And it does certificate validation a bit differently. I do have some limited
support for using a verify_client callback but it is not quite complete.

A broad overview of what it can do are:

    * Creating an SSL server listener and accepting requests
    * Creating an SSL client socket and making requests
    * Ciphers that should be compatible with OpenSSL
    * Client certificate authentication
    * Random numbers
    * Token password prompting/handlng

nss_compat_ossl.h has the complete list of the API but that can be a bit
misleading because some of the functions are no-ops.

It doesn't offer:

- Low-level crypto (DES,etc)
- BIO (a very small portion of that is provided)


Comment 3 Tomas Mraz 2007-07-20 09:18:29 UTC
rpmlint -v nss_compat_ossl-0.9.1-1.src.rpm 
I: nss_compat_ossl checking
W: nss_compat_ossl no-url-tag
- as I suppose that upstream HTML pages (trac/wiki) is not yet created, please
add URL: tag into spec file as soon as they are.

rpmlint -v nss_compat_ossl-0.9.1-1.fc8.x86_64.rpm
I: nss_compat_ossl checking
W: nss_compat_ossl no-url-tag

rpmlint -v nss_compat_ossl-devel-0.9.1-1.fc8.x86_64.rpm
I: nss_compat_ossl-devel checking
W: nss_compat_ossl-devel no-documentation
- this is OK for now, as the docs (LICENSE, README) are in the base package,
later developer docs and user docs should be split and developer docs should be
installed into -devel subpackage
W: nss_compat_ossl-devel no-url-tag

rpmlint -v nss_compat_ossl-debuginfo-0.9.1-1.fc8.x86_64.rpm
I: nss_compat_ossl-debuginfo checking
W: nss_compat_ossl-debuginfo no-url-tag

/usr/lib64/libnss_compat_ossl.la is included in the -devel subpackage, please
remove it.

As you're upstream maintainer - perhaps the COPYING file with GPL should be
removed as the package is LGPL licensed (in LICENSE file) to prevent confusion?

The file http://directory.fedoraproject.org/sources/nss_compat_ossl-0.9.1.tar.gz
is missing on the server.

The -devel subpackage probably should require the main package of exactly the
same nvr and not >=?


Comment 4 Rob Crittenden 2007-07-20 13:39:24 UTC
Yes, the URL will be added once we get a hom.

All other issues addressed. New files uploaded:

Spec URL: http://directory.fedoraproject.org/sources/nss_compat_ossl.spec
SRPM URL: http://directory.fedoraproject.org/sources/nss_compat_ossl-0.9.1-2.src.rpm

Comment 5 Tomas Mraz 2007-07-20 15:38:57 UTC
I forgot this one - the -devel file list is missing the %defattr(-,root,root,-)
declaration.


Comment 7 Tomas Mraz 2007-07-20 21:29:42 UTC
Now everything seems to be OK.

rpmlint -v nss_compat_ossl-0.9.1-3.src.rpm 
I: nss_compat_ossl checking
W: nss_compat_ossl no-url-tag

rpmlint -v nss_compat_ossl-0.9.1-3.fc8.x86_64.rpm
I: nss_compat_ossl checking
W: nss_compat_ossl no-url-tag

rpmlint -v nss_compat_ossl-devel-0.9.1-3.fc8.x86_64.rpm
I: nss_compat_ossl-devel checking
W: nss_compat_ossl-devel no-documentation
W: nss_compat_ossl-devel no-url-tag

rpmlint -v nss_compat_ossl-debuginfo-0.9.1-3.fc8.x86_64.rpm
I: nss_compat_ossl-debuginfo checking
W: nss_compat_ossl-debuginfo no-url-tag

- the rpmlint output is the same as above so the same comments apply

APPROVED


Comment 8 Rob Crittenden 2007-07-20 21:56:32 UTC
New Package CVS Request
=======================
Package Name: nss_compat_ossl
Short Description: OpenSSL to NSS porting library
Owners: rcritten@redhat.com, rrelyea@redhat.com
Branches: FC-6 F-7
InitialCC: 


Comment 9 Rob Crittenden 2007-07-24 18:06:08 UTC
I've only built this on rawhide right now but we have the FC-6 and F-7 branches
available if desired.


Note You need to log in before you can comment on or make changes to this bug.