Bug 333741 (CryptoConsolidation) - Fedora CryptoConsolidation tracking bug
Summary: Fedora CryptoConsolidation tracking bug
Keywords:
Status: CLOSED WONTFIX
Alias: CryptoConsolidation
Product: Fedora
Classification: Fedora
Component: distribution
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 346521 346531 346541 346551 346561 346571 346581 346591 346601 346611 346621 346631 346641 346651 346661 346671 346681 346691 346701 346711 346721 346731 346741 346751 346761 346771 346781 346791 346801 346811 346821 346831 346841 346851 346861 346871 346881 346891 346901 346911 346921 346931 346941 346951 346961 346971 346981 346991 347001 347011 347021 347031 347041 347051 347061 347071 347081 347091 347101 347111 347121 347131 347141 347151 347171 347181 347191 347201 347211 347221 347231 347241 347251 347261 347271 347281 347291 347301 347311 347321 347331 347341 347351 347361 347371 347381 347391 347401 347411 347421 347431 347441 347451 347461 347471 347481 347491 347501 347511 347521 347531 347541 347551 347561 347571 347581 347591 347601 347611 347621 347631 347641 347651 347661 347671 347681 347691 347701 347711 347721 347731 347741 347751 347761 347771 347781 347791 347801 347811 347821 347831 347841 347851 347861 347871 347881 347891 347901 347911 347921 347931 347941 347951 347961 347971 347981 347991 348001 348011 348021 348031 348041 348051 348061 348071 348081 348091 348101 348111 348121 348131 348141 348151 348161 348171 348181 348191 348201 348211 348221 348231 348241 348251 348261 348271 348281 348291 348301 348311 348321 348331 348341 348351 348361 348371 348381 348391 348401 348411 348421 348431 348441 348451 348461 348471 348481 348491 348501 348511 348521 348531 348541 348551 348561 348571 468664 497056 501138
Blocks: 459600
TreeView+ depends on / blocked
 
Reported: 2007-10-16 09:06 UTC by Tomas Mraz
Modified: 2017-01-05 15:54 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-05 15:54:53 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Tomas Mraz 2007-10-16 09:06:35 UTC
The applications, utilities and libraries using cryptography in Fedora
distribution should be converted to use only one cryptography library. The NSS
library was chosen for various reasons.

The reasons for such conversion are outlined on this wiki page:
http://fedoraproject.org/wiki/FedoraCryptoConsolidation

More details can be found here:
http://fedoraproject.org/wiki/CryptoConsolidationEval

The (not exhaustive) list of packages using or containing cryptography
algorithms is here:
http://fedoraproject.org/wiki/CryptoConsolidationScorecard

Here you can find instructions on converting applications using SSL from OpenSSL
to NSS:
http://fedoraproject.org/wiki/nss_compat_ossl

Comment 1 Kevin Kofler 2007-10-23 10:58:13 UTC
Your list is missing at least the following OpenSSL users (at least in the qt4 
case, it's dlopened): qt4, qca-tls, qca2.

Comment 2 Kevin Kofler 2007-10-23 11:05:42 UTC
IMHO, nss_compat_ossl needs work to be really usable, right now it's not 
anywhere near a drop-in replacement, it needs several changes repeated in 
dozens of packages. It also means losing functionality (from the 
wiki: "nss_compat_ossl doesn't support SSL compression").

Comment 3 Kevin Kofler 2007-10-23 11:37:16 UTC
Do you think it would be possible to script some of the changes, like the 
qt3to4 script which converts Qt 3 code to Qt 4's libQt3Support?

Also, if you're going after all the apps containing MD5 code, you're missing a 
lot of them. Just look at the apps which had to be fixed not to include an 
inappropriately-licensed implementation, and those are hopefully not the 
majority. ;-) As far as I know, qt, qt4 and strigi all contain custom MD5 
routines, and that's only those I happen to know about.

Comment 4 Tomas Mraz 2007-10-23 11:42:32 UTC
The list is a little bit outdated as it was produced more than half a year ago
and only from the Fedora Core packages before merge. The thing is most of the
blocking bugs are very low priority but we want to eventually (in a few years)
fix all packages.

Also Kevin, can you please fill a separate bug report against nss or
nss_compat_ossl and mention there all critical missing things which block porting?


Comment 5 Daniel Veillard 2007-10-23 11:44:57 UTC
Either you develop a full drop in repacement like we did for FAM with
gamin, meaning that no source change is need for upstream, or you need
to convince upstream to adopt your new library. I don't see an intermediate
approach where the packager is responsible for major code change to
be a maintainable solution.
Any change to upstream code, be it configure or header or worse code
means in practice a fork. I don't want to fork the packages I maintain.
Either you have a complete drop in replacement which might be doable, but then
you need the balls and workforce to actually *remove* openssl from the distro
and put the replacement in, or you work with the gazillion project out there
and suggest they add support for your new library.
Sorry I'm sorry this can't fly in the current form for me

Daniel


Comment 6 Tomas Mraz 2007-10-23 12:00:26 UTC
For packages which do only SSL the nss_compat_ossl should be the drop-in
replacement. Although there is some work yet to be done so there are really no
source code changes needed.

For applications which use other parts (low level) of OpenSSL the drop-in
replacement is mostly not possible, because the OpenSSL API has several
limitations making it for example not possible to certify it with FIPS-140-2
Level 2.

The bugs filled are basically requests for maintainers to help with the porting
effort and especially help with advocating the change upstream. We of course
understand that maintaining a fork in Fedora only is not feasible.


Comment 7 Steven Dake 2007-10-23 12:07:51 UTC
It is totally inappropriate to expect a fedora package maintainer to fork an
upstream software package to include some unknown crypto software package. 
Upstream makes choices about which crypto software they intend to use and Fedora
does NOT dictate which crypto packages should be used in upstream packages.

If you are coming to me as maintainer of a project attempting to get me to
change a known working crypto solution for some unknown crypto solution, perhaps
fedora bugzilla is the wrong place for this.  You should involve yourself on the
 community mailing list for that package.

For the openais package, you can send your proposal to
openais.org

I can say with 100% certainty this is _never_ going to happen for openais.  It
would break protocol compatability and introduce unwanted dependencies.  openais
doesn't use a library for a reason - perhaps you should query the list on the
topic for that motivation.

Regards
-steve

Comment 8 Tom Lane 2007-10-23 14:13:55 UTC
I am more than slightly tempted to close all my bugs WONTFIX.

When you have something that is a genuine 100% drop-in, wire-protocol-compatible replacement for 
OpenSSL, I might be persuaded to make a one-line change in my specfiles to use that.  Expecting package 
maintainers to deal with a sort-of-compatible replacement is not reasonable.

Comment 9 Bob Relyea 2007-10-23 18:07:54 UTC
Please file difficiencies that you run into with nsscompatossl against that
package. 

directly drop-in isn't possible, some issues are solved by commenting out code
in your application that is already completely handled by NSS (and typically
duplicated by every openSSL application out there).

There are certainly many areas where nsscompatossl can be better (and
potentially help other packagers that run into the same issue. Filing bugs will
help us make it better). You can block your bug on the nsscompatossl bug.

I'll create a bug for getting a new gnutls package, which gnutls apps can depend on.

bob

bob

Comment 10 Jon Stanley 2008-03-28 01:46:17 UTC
Adding Tracking keyword

Comment 11 John Poelstra 2008-07-03 23:40:07 UTC
triaged

Comment 12 Elio Maldonado Batiz 2008-08-27 21:06:23 UTC
Another friendly way to track progress is
https://bugzilla.redhat.com/buglist.cgi?quicksearch=NSS+library+for+cryptography
Very few of the bugs have been assigned.

Comment 13 Matt McCutchen 2010-03-23 04:31:25 UTC
No one seems to have worked on any UI consolidation so far.  I think that is an important part of the project and would suggest Mozilla PSM, as I wrote on the wiki page.

Comment 14 Nikos Mavrogiannopoulos 2017-01-05 15:54:53 UTC
This effort is no longer going on. Packagers are encouraged to use the libraries that are preferred from upstream.


Note You need to log in before you can comment on or make changes to this bug.