From Fedora Project Wiki
(some fields filled in)
Line 53: Line 53:
  
 
== How To Test ==
 
== How To Test ==
<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this change implementation is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate themThe more specific you can be, the better the community testing can be.
+
All direct and indirect dependencies of libcurl (including 3rd party SW) should be tested.  No special HW is needed, assuming that OpenSSL itself is tested.
 
 
Remember that you are writing this how to for interested testers to use to check out your change implementation - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your change.
 
 
 
A good "how to test" should answer these four questions:
 
 
 
0. What special hardware / data / etc. is needed (if any)?
 
1. How do I prepare my system to test this change? What packages
 
need to be installed, config files edited, etc.?
 
2. What specific actions do I perform to check that the change is
 
working like it's supposed to?
 
3. What are the expected results of those actions?
 
-->
 
 
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
N/A (not a System Wide Change)
 
  
 
== User Experience ==
 
== User Experience ==
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
+
See Upgrade/compatibility impact above.
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
N/A (not a System Wide Change)
 
  
 
== Dependencies ==
 
== Dependencies ==
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this change depends?  In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel change)? -->
+
dnf, librepo, systemd, git, etc.
 
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
N/A (not a System Wide Change)
 
  
 
== Contingency Plan ==
 
== Contingency Plan ==
  
<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
+
* Contingency mechanism: switch libcurl back to NSS
* Contingency mechanism: (What to do?  Who will do it?) N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
* Contingency deadline: Fedora 27 Alpha freeze
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
+
* Blocks release? No.
* Contingency deadline: N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
+
* Blocks product? No.
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
 
* Blocks release? N/A (not a System Wide Change), Yes/No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
* Blocks product? product <!-- Applicable for Changes that blocks specific product release/Fedora.next -->
 
  
 
== Documentation ==
 
== Documentation ==
<!-- Is there upstream documentation on this change, or notes you have written yourself? Link to that material here so other interested developers can get involved. -->
+
Downstream only change. Upstream supports both the libraries.
 
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
 
N/A (not a System Wide Change)
 
  
 
== Release Notes ==
 
== Release Notes ==
 +
Needed.
 
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
 
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
 
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this change, indicate them here.  A link to upstream documentation will often satisfy this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release.  
 
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this change, indicate them here.  A link to upstream documentation will often satisfy this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release.  

Revision as of 12:41, 6 April 2017

Switch libcurl back to OpenSSL

Summary

libcurl in Fedora currently uses the NSS (Network Security Services) library for TLS and cryptography. After implementing this change, libcurl will use OpenSSL instead of NSS.

Owner

  • Name: Kamil Dudka
  • Email: kdudka@redhat.com
  • Release notes owner: N/A
  • FESCo shepherd: N/A
  • Product: Fedora
  • Responsible WG: kdudka


Current status

  • Targeted release: Fedora 27
  • Last updated: 2017-04-06
  • Tracker bug: <will be assigned by the Wrangler>


Detailed Description

In order to make even smaller Fedora base images, it was proposed to switch libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which motivated the switch of libcurl from OpenSSL to NSS ten years ago, is now deprecated and libcurl is the only package that pulls NSS as its dependency into the Fedora base image. Hence, by switching libcurl back to OpenSSL, we could create Fedora base image that contains fewer crypto libraries inside.


Benefit to Fedora

Smaller base image, fewer cpryto libraries inside.


Scope

  • Proposal owners: kdudka
  • Other developers: psabata, ignatenko, sgallagh
  • Release engineering: unaffected
  • Policies and guidelines: unaffected
  • Trademark approval: not needed

Upgrade/compatibility impact

  • Firefox certificate database can no longer be used by (lib)curl-based applications.
  • Existing certificate databases need to be dumped to files to be used by (lib)curl.

How To Test

All direct and indirect dependencies of libcurl (including 3rd party SW) should be tested. No special HW is needed, assuming that OpenSSL itself is tested.

User Experience

See Upgrade/compatibility impact above.

Dependencies

dnf, librepo, systemd, git, etc.

Contingency Plan

  • Contingency mechanism: switch libcurl back to NSS
  • Contingency deadline: Fedora 27 Alpha freeze
  • Blocks release? No.
  • Blocks product? No.

Documentation

Downstream only change. Upstream supports both the libraries.

Release Notes

Needed.