From Fedora Project Wiki
(→‎Scope: update per https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/CGOTGRFATIMANGCAYYAJDOP2U7JSPYQD/)
Line 42: Line 42:
 
    
 
    
 
== Scope ==
 
== Scope ==
* Proposal owners: kdudka
+
* Proposal owners: kdudka (will push the following patch: https://src.fedoraproject.org/cgit/rpms/curl.git/commit/?id=7c3b67bb and rebuild curl)
* Other developers: psabata, ignatenko, sgallagh
+
* Other developers: psabata, ignatenko, sgallagh (will help to resolve possible breakages caused by the patch)
* Release engineering: unaffected
+
* Release engineering: No action from release engineering is needed for this change (libcurl ABI is kept).
 
* Policies and guidelines: unaffected
 
* Policies and guidelines: unaffected
 
* Trademark approval: not needed
 
* Trademark approval: not needed

Revision as of 13:10, 6 April 2017

Switch libcurl back to OpenSSL

Summary

libcurl in Fedora currently uses the NSS (Network Security Services) library for TLS and cryptography. After implementing this change, libcurl will use OpenSSL instead of NSS.

Owner

  • Name: Kamil Dudka
  • Email: kdudka@redhat.com
  • Release notes owner: N/A
  • FESCo shepherd: N/A
  • Product: Fedora
  • Responsible WG: kdudka


Current status

  • Targeted release: Fedora 27
  • Last updated: 2017-04-06
  • Tracker bug: <will be assigned by the Wrangler>


Detailed Description

In order to make even smaller Fedora base images, it was proposed to switch libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which motivated the switch of libcurl from OpenSSL to NSS ten years ago, is now deprecated and libcurl is the only package that pulls NSS as its dependency into the Fedora base image. Hence, by switching libcurl back to OpenSSL, we could create Fedora base image that contains fewer crypto libraries inside.


Benefit to Fedora

Smaller base image, fewer cpryto libraries inside.


Scope

  • Proposal owners: kdudka (will push the following patch: https://src.fedoraproject.org/cgit/rpms/curl.git/commit/?id=7c3b67bb and rebuild curl)
  • Other developers: psabata, ignatenko, sgallagh (will help to resolve possible breakages caused by the patch)
  • Release engineering: No action from release engineering is needed for this change (libcurl ABI is kept).
  • Policies and guidelines: unaffected
  • Trademark approval: not needed

Upgrade/compatibility impact

  • Firefox certificate database can no longer be used by (lib)curl-based applications.
  • Existing certificate databases need to be dumped to files to be used by (lib)curl.

How To Test

All direct and indirect dependencies of libcurl (including 3rd party SW) should be tested. No special HW is needed, assuming that OpenSSL itself is tested.

User Experience

See Upgrade/compatibility impact above.

Dependencies

dnf, librepo, systemd, git, etc.

Contingency Plan

  • Contingency mechanism: switch libcurl back to NSS
  • Contingency deadline: Fedora 27 Alpha freeze
  • Blocks release? No.
  • Blocks product? No.

Documentation

Downstream only change. Upstream supports both the libraries.

Release Notes

Needed.