From Fedora Project Wiki
(picked the template, some fields are still missing)
 
(some fields filled in)
Line 2: Line 2:


== Summary ==
== Summary ==
libcurl in Fedora currently uses the NSS (Network Security Services) library for TLS and cryptography.  After implementing this change, libcurl will use OpenSSL, instead of NSS.
libcurl in Fedora currently uses the NSS (Network Security Services) library for TLS and cryptography.  After implementing this change, libcurl will use OpenSSL instead of NSS.


== Owner ==
== Owner ==
<!--
* Name: [[User:kdudka| Kamil Dudka]]
For change proposals to qualify as self-contained, owners of all affected packages need to be included here. Alternatively, a SIG can be listed as an owner if it owns all affected packages.
* Email: kdudka@redhat.com
This should link to your home wiki page so we know who you are.
* Release notes owner: N/A
-->
* FESCo shepherd: N/A
* Name: [[User:FASAcountName| Your Name]]
* Product: Fedora
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
* Responsible WG: kdudka
* Email: <your email address so we can contact you, invite you to meetings, etc.>
 
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
-->
<!--- UNCOMMENT only if this Change aims specific product, working group (Cloud, Workstation, Server, Base, Env & Stacks)
* Product:
* Responsible WG:
-->


== Current status ==
== Current status ==
* Targeted release: [[Releases/<number> | Fedora <number> ]]
* Targeted release: Fedora 27
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Line 33: Line 25:
-->
-->
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: <will be assigned by the Wrangler>


== Detailed Description ==
== Detailed Description ==


<!-- Expand on the summary, if appropriateA couple sentences suffices to explain the goal, but the more details you can provide the better. -->
In order to make even smaller Fedora base images, it was proposed to switch
libcurl back to OpenSSLThe Fedora Crypto Consolidation project, which
motivated the switch of libcurl from OpenSSL to NSS ten years ago, is now
deprecated and libcurl is the only package that pulls NSS as its dependency
into the Fedora base image.  Hence, by switching libcurl back to OpenSSL, we
could create Fedora base image that contains fewer crypto libraries inside.
 


== Benefit to Fedora ==
== Benefit to Fedora ==
 
Smaller base image, fewer cpryto libraries inside.
   
   
    
    
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->
== Scope ==
== Scope ==
* Proposal owners:
* Proposal owners: kdudka
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
* Other developers: psabata, ignatenko, sgallagh
 
* Release engineering: unaffected
* Other developers: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Policies and guidelines: unaffected
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
* Trademark approval: not needed
 
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engeneering is needed) <!-- REQUIRED FOR SYSTEM WIDE AS WELL AS FOR SELF CONTAINED CHANGES -->
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  include a link to the releng issue.
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
 
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Please check the list of Fedora release deliverables and list all the differences the feature brings -->
 
* Policies and guidelines: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->
 
* Trademark approval: N/A (not needed for this Change)
<!-- If your Change may require trademark approval (for example, if it is a new Spin), file a ticket ( https://fedorahosted.org/council/ ) requesting trademark approval from the Fedora Council. This approval will be done via the Council's consensus-based process. -->


== Upgrade/compatibility impact ==
== Upgrade/compatibility impact ==
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
* Firefox certificate database can no longer be used by (lib)curl-based applications.
 
* Existing certificate databases need to be dumped to files to be used by (lib)curl.
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)  


== How To Test ==
== How To Test ==

Revision as of 12:29, 6 April 2017

Switch libcurl back to OpenSSL

Summary

libcurl in Fedora currently uses the NSS (Network Security Services) library for TLS and cryptography. After implementing this change, libcurl will use OpenSSL instead of NSS.

Owner

  • Name: Kamil Dudka
  • Email: kdudka@redhat.com
  • Release notes owner: N/A
  • FESCo shepherd: N/A
  • Product: Fedora
  • Responsible WG: kdudka


Current status

  • Targeted release: Fedora 27
  • Last updated: 2017-04-06
  • Tracker bug: <will be assigned by the Wrangler>


Detailed Description

In order to make even smaller Fedora base images, it was proposed to switch libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which motivated the switch of libcurl from OpenSSL to NSS ten years ago, is now deprecated and libcurl is the only package that pulls NSS as its dependency into the Fedora base image. Hence, by switching libcurl back to OpenSSL, we could create Fedora base image that contains fewer crypto libraries inside.


Benefit to Fedora

Smaller base image, fewer cpryto libraries inside.


Scope

  • Proposal owners: kdudka
  • Other developers: psabata, ignatenko, sgallagh
  • Release engineering: unaffected
  • Policies and guidelines: unaffected
  • Trademark approval: not needed

Upgrade/compatibility impact

  • Firefox certificate database can no longer be used by (lib)curl-based applications.
  • Existing certificate databases need to be dumped to files to be used by (lib)curl.

How To Test

N/A (not a System Wide Change)

User Experience

N/A (not a System Wide Change)

Dependencies

N/A (not a System Wide Change)

Contingency Plan

  • Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
  • Contingency deadline: N/A (not a System Wide Change)
  • Blocks release? N/A (not a System Wide Change), Yes/No
  • Blocks product? product

Documentation

N/A (not a System Wide Change)

Release Notes