Bug 333741 - (CryptoConsolidation) Fedora CryptoConsolidation tracking bug
Fedora CryptoConsolidation tracking bug
Status: ASSIGNED
Product: Fedora
Classification: Fedora
Component: distribution (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
: FutureFeature, Tracking
Depends On: 346581 346631 346651 346671 346751 346881 346891 346921 346961 347001 347071 347091 347111 347231 347261 347291 347371 347381 347491 347501 347521 347581 347631 347771 347781 347801 347811 347901 347941 347951 348001 348011 348101 348161 348181 348201 348221 348241 348261 348291 348361 348371 348471 348481 348531 346521 346531 346541 346551 346561 346571 346591 346601 346611 346621 346641 346661 346681 346691 346701 346711 346721 346731 346741 346761 346771 346781 346791 346801 346811 346821 346831 346841 346851 346861 346871 346901 346911 346931 346941 346951 346971 346981 346991 347011 347021 347031 347041 347051 347061 347081 347101 347121 347131 347141 347151 347171 347181 347191 347201 347211 347221 347241 347251 347271 347281 347301 347311 347321 347331 347341 347351 347361 347391 347401 347411 347421 347431 347441 347451 347461 347471 347481 347511 347531 347541 347551 347561 347571 347591 347601 347611 347621 347641 347651 347661 347671 347681 347691 347701 347711 347721 347731 347741 347751 347761 347791 347821 347831 347841 347851 347861 347871 347881 347891 347911 347921 347931 347961 347971 347981 347991 348021 348031 348041 348051 348061 348071 348081 348091 348111 348121 348131 348141 348151 348171 348191 348211 348231 348251 348271 348281 348301 348311 348321 348331 348341 348351 348381 348391 348401 348411 348421 348431 348441 348451 348461 348491 348501 348511 348521 348541 348551 348561 348571 468664 497056 501138
Blocks: 459600
  Show dependency treegraph
 
Reported: 2007-10-16 05:06 EDT by Tomas Mraz
Modified: 2014-10-03 05:11 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Tomas Mraz 2007-10-16 05:06:35 EDT
The applications, utilities and libraries using cryptography in Fedora
distribution should be converted to use only one cryptography library. The NSS
library was chosen for various reasons.

The reasons for such conversion are outlined on this wiki page:
http://fedoraproject.org/wiki/FedoraCryptoConsolidation

More details can be found here:
http://fedoraproject.org/wiki/CryptoConsolidationEval

The (not exhaustive) list of packages using or containing cryptography
algorithms is here:
http://fedoraproject.org/wiki/CryptoConsolidationScorecard

Here you can find instructions on converting applications using SSL from OpenSSL
to NSS:
http://fedoraproject.org/wiki/nss_compat_ossl
Comment 1 Kevin Kofler 2007-10-23 06:58:13 EDT
Your list is missing at least the following OpenSSL users (at least in the qt4 
case, it's dlopened): qt4, qca-tls, qca2.
Comment 2 Kevin Kofler 2007-10-23 07:05:42 EDT
IMHO, nss_compat_ossl needs work to be really usable, right now it's not 
anywhere near a drop-in replacement, it needs several changes repeated in 
dozens of packages. It also means losing functionality (from the 
wiki: "nss_compat_ossl doesn't support SSL compression").
Comment 3 Kevin Kofler 2007-10-23 07:37:16 EDT
Do you think it would be possible to script some of the changes, like the 
qt3to4 script which converts Qt 3 code to Qt 4's libQt3Support?

Also, if you're going after all the apps containing MD5 code, you're missing a 
lot of them. Just look at the apps which had to be fixed not to include an 
inappropriately-licensed implementation, and those are hopefully not the 
majority. ;-) As far as I know, qt, qt4 and strigi all contain custom MD5 
routines, and that's only those I happen to know about.
Comment 4 Tomas Mraz 2007-10-23 07:42:32 EDT
The list is a little bit outdated as it was produced more than half a year ago
and only from the Fedora Core packages before merge. The thing is most of the
blocking bugs are very low priority but we want to eventually (in a few years)
fix all packages.

Also Kevin, can you please fill a separate bug report against nss or
nss_compat_ossl and mention there all critical missing things which block porting?
Comment 5 Daniel Veillard 2007-10-23 07:44:57 EDT
Either you develop a full drop in repacement like we did for FAM with
gamin, meaning that no source change is need for upstream, or you need
to convince upstream to adopt your new library. I don't see an intermediate
approach where the packager is responsible for major code change to
be a maintainable solution.
Any change to upstream code, be it configure or header or worse code
means in practice a fork. I don't want to fork the packages I maintain.
Either you have a complete drop in replacement which might be doable, but then
you need the balls and workforce to actually *remove* openssl from the distro
and put the replacement in, or you work with the gazillion project out there
and suggest they add support for your new library.
Sorry I'm sorry this can't fly in the current form for me

Daniel
Comment 6 Tomas Mraz 2007-10-23 08:00:26 EDT
For packages which do only SSL the nss_compat_ossl should be the drop-in
replacement. Although there is some work yet to be done so there are really no
source code changes needed.

For applications which use other parts (low level) of OpenSSL the drop-in
replacement is mostly not possible, because the OpenSSL API has several
limitations making it for example not possible to certify it with FIPS-140-2
Level 2.

The bugs filled are basically requests for maintainers to help with the porting
effort and especially help with advocating the change upstream. We of course
understand that maintaining a fork in Fedora only is not feasible.
Comment 7 Steven Dake 2007-10-23 08:07:51 EDT
It is totally inappropriate to expect a fedora package maintainer to fork an
upstream software package to include some unknown crypto software package. 
Upstream makes choices about which crypto software they intend to use and Fedora
does NOT dictate which crypto packages should be used in upstream packages.

If you are coming to me as maintainer of a project attempting to get me to
change a known working crypto solution for some unknown crypto solution, perhaps
fedora bugzilla is the wrong place for this.  You should involve yourself on the
 community mailing list for that package.

For the openais package, you can send your proposal to
openais@lists.osdl.org

I can say with 100% certainty this is _never_ going to happen for openais.  It
would break protocol compatability and introduce unwanted dependencies.  openais
doesn't use a library for a reason - perhaps you should query the list on the
topic for that motivation.

Regards
-steve
Comment 8 Tom Lane 2007-10-23 10:13:55 EDT
I am more than slightly tempted to close all my bugs WONTFIX.

When you have something that is a genuine 100% drop-in, wire-protocol-compatible replacement for 
OpenSSL, I might be persuaded to make a one-line change in my specfiles to use that.  Expecting package 
maintainers to deal with a sort-of-compatible replacement is not reasonable.
Comment 9 Bob Relyea 2007-10-23 14:07:54 EDT
Please file difficiencies that you run into with nsscompatossl against that
package. 

directly drop-in isn't possible, some issues are solved by commenting out code
in your application that is already completely handled by NSS (and typically
duplicated by every openSSL application out there).

There are certainly many areas where nsscompatossl can be better (and
potentially help other packagers that run into the same issue. Filing bugs will
help us make it better). You can block your bug on the nsscompatossl bug.

I'll create a bug for getting a new gnutls package, which gnutls apps can depend on.

bob

bob
Comment 10 Jon Stanley 2008-03-27 21:46:17 EDT
Adding Tracking keyword
Comment 11 John Poelstra 2008-07-03 19:40:07 EDT
triaged
Comment 12 Elio Maldonado Batiz 2008-08-27 17:06:23 EDT
Another friendly way to track progress is
https://bugzilla.redhat.com/buglist.cgi?quicksearch=NSS+library+for+cryptography
Very few of the bugs have been assigned.
Comment 13 Matt McCutchen 2010-03-23 00:31:25 EDT
No one seems to have worked on any UI consolidation so far.  I think that is an important part of the project and would suggest Mozilla PSM, as I wrote on the wiki page.

Note You need to log in before you can comment on or make changes to this bug.