From Fedora Project Wiki
(picked the template, some fields are still missing)
 
m (→‎Benefit to Fedora: typo fix: cpryto -> crypto)
 
(10 intermediate revisions by 2 users not shown)
Line 2: Line 2:


== Summary ==
== Summary ==
libcurl in Fedora currently uses the NSS (Network Security Services) library for TLS and cryptography.  After implementing this change, libcurl will use OpenSSL, instead of NSS.
libcurl in Fedora currently uses the NSS (Network Security Services) library for TLS and cryptography.  After implementing this change, libcurl will use OpenSSL instead of NSS.


== Owner ==
== Owner ==
<!--
* Name: [[User:kdudka| Kamil Dudka]]
For change proposals to qualify as self-contained, owners of all affected packages need to be included here. Alternatively, a SIG can be listed as an owner if it owns all affected packages.
* Email: kdudka@redhat.com
This should link to your home wiki page so we know who you are.
* Release notes owner: N/A
-->
* FESCo shepherd: N/A
* Name: [[User:FASAcountName| Your Name]]
* Product: Fedora
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
* Responsible WG: kdudka
* Email: <your email address so we can contact you, invite you to meetings, etc.>
 
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> -->
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
-->
<!--- UNCOMMENT only if this Change aims specific product, working group (Cloud, Workstation, Server, Base, Env & Stacks)
* Product:
* Responsible WG:
-->


== Current status ==
== Current status ==
* Targeted release: [[Releases/<number> | Fedora <number> ]]
* Targeted release: Fedora 27
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
* Last updated: <!-- this is an automatic macro — you don't need to change this line -->  {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}}  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page  
Line 32: Line 24:
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development
-->
-->
* Tracker bug: <will be assigned by the Wrangler>
* Tracker bug: [https://bugzilla.redhat.com/show_bug.cgi?id=1445153 #1445153]


== Detailed Description ==
== Detailed Description ==


<!-- Expand on the summary, if appropriateA couple sentences suffices to explain the goal, but the more details you can provide the better. -->
In order to make even smaller Fedora base images, it was proposed to switch
libcurl back to OpenSSLThe Fedora Crypto Consolidation project, which
motivated the switch of libcurl from OpenSSL to NSS ten years ago, is now
deprecated and libcurl is the only package that pulls NSS as its dependency
into the Fedora base image.  Hence, by switching libcurl back to OpenSSL, we
could create Fedora base image that contains fewer crypto libraries inside.
 


== Benefit to Fedora ==
== Benefit to Fedora ==
 
Smaller base image, fewer crypto libraries inside.
 
<!-- What is the benefit to the platform?  If this is a major capability update, what has changed?  If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?-->


== Scope ==
== Scope ==
* Proposal owners:
* Proposal owners: kdudka (will push the following patch: https://src.fedoraproject.org/cgit/rpms/curl.git/commit/?id=7c3b67bb and rebuild curl)
<!-- What work do the feature owners have to accomplish to complete the feature in time for release? Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
* Other developers: psabata, ignatenko, sgallagh (will help to resolve possible breakages caused by the patch)
 
* Release engineering: No action from release engineering is needed for this change (libcurl ABI is kept).
* Other developers: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Policies and guidelines: unaffected
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
* Trademark approval: not needed
 
* Release engineering: [https://pagure.io/releng/issues #Releng issue number] (a check of an impact with Release Engeneering is needed) <!-- REQUIRED FOR SYSTEM WIDE AS WELL AS FOR SELF CONTAINED CHANGES -->
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  include a link to the releng issue.  
The issue is required to be filed prior to feature submission, to ensure that someone is on board to do any process development work and testing, and that all changes make it into the pipeline; a bullet point in a change is not sufficient communication -->
 
** [[Fedora_Program_Management/ReleaseBlocking/Fedora{{FedoraVersionNumber|next}}|List of deliverables]]: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Please check the list of Fedora release deliverables and list all the differences the feature brings -->
 
* Policies and guidelines: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- Do the packaging guidelines or other documents need to be updated for this feature?  If so, does it need to happen before or after the implementation is done?  If a FPC ticket exists, add a link here. -->
 
* Trademark approval: N/A (not needed for this Change)
<!-- If your Change may require trademark approval (for example, if it is a new Spin), file a ticket ( https://fedorahosted.org/council/ ) requesting trademark approval from the Fedora Council. This approval will be done via the Council's consensus-based process. -->


== Upgrade/compatibility impact ==
== Upgrade/compatibility impact ==
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
* Firefox certificate database can no longer be used by (lib)curl-based applications.
 
* Existing certificate databases need to be dumped to files to be used by (lib)curl.
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)  


== How To Test ==
== How To Test ==
<!-- This does not need to be a full-fledged document. Describe the dimensions of tests that this change implementation is expected to pass when it is done.  If it needs to be tested with different hardware or software configurations, indicate themThe more specific you can be, the better the community testing can be.
All direct and indirect dependencies of libcurl (including 3rd party SW) should be tested.  No special HW is needed, assuming that OpenSSL itself is tested.
 
Remember that you are writing this how to for interested testers to use to check out your change implementation - documenting what you do for testing is OK, but it's much better to document what *I* can do to test your change.
 
A good "how to test" should answer these four questions:
 
0. What special hardware / data / etc. is needed (if any)?
1. How do I prepare my system to test this change? What packages
need to be installed, config files edited, etc.?
2. What specific actions do I perform to check that the change is
working like it's supposed to?
3. What are the expected results of those actions?
-->
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)


== User Experience ==
== User Experience ==
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
See Upgrade/compatibility impact above.
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)


== Dependencies ==
== Dependencies ==
<!-- What other packages (RPMs) depend on this package?  Are there changes outside the developers' control on which completion of this change depends?  In other words, completion of another change owned by someone else and might cause you to not be able to finish on time or that you would need to coordinate?  Other upstream projects like the kernel (if this is not a kernel change)? -->
dnf, librepo, systemd, git, etc.
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)


== Contingency Plan ==
== Contingency Plan ==


<!-- If you cannot complete your feature by the final development freeze, what is the backup plan?  This might be as simple as "Revert the shipped configuration".  Or it might not (e.g. rebuilding a number of dependent packages).  If you feature is not completed in time we want to assure others that other parts of Fedora will not be in jeopardy.  -->
* Contingency mechanism: switch libcurl back to NSS
* Contingency mechanism: (What to do?  Who will do it?) N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency deadline: Fedora 27 Alpha freeze
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
* Blocks release? No.
* Contingency deadline: N/A (not a System Wide Change)  <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Blocks product? No.
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
* Blocks release? N/A (not a System Wide Change), Yes/No <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Blocks product? product <!-- Applicable for Changes that blocks specific product release/Fedora.next -->


== Documentation ==
== Documentation ==
<!-- Is there upstream documentation on this change, or notes you have written yourself? Link to that material here so other interested developers can get involved. -->
Downstream only change. Upstream supports both the libraries.
 
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
N/A (not a System Wide Change)


== Release Notes ==
== Release Notes ==
libcurl will use OpenSSL for TLS and crypto (instead of NSS).  TLS certificates and keys stored in NSS database need to be exported to files for libcurl to be able to load them.
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The Fedora Release Notes inform end-users about what is new in the release.  Examples of past release notes are here: http://docs.fedoraproject.org/release-notes/ -->
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this change, indicate them here.  A link to upstream documentation will often satisfy this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release.  
<!-- The release notes also help users know how to deal with platform changes such as ABIs/APIs, configuration or data file formats, or upgrade concerns.  If there are any such changes involved in this change, indicate them here.  A link to upstream documentation will often satisfy this need.  This information forms the basis of the release notes edited by the documentation team and shipped with the release.  
Line 122: Line 77:
-->
-->


[[Category:ChangePageIncomplete]]
[[Category:ChangeAcceptedF27]]
<!-- When your change proposal page is completed and ready for review and announcement -->
[[Category:SystemWideChange]]
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangeAnnounced (no action required) -->
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
 
<!-- Select proper category, default is Self Contained Change -->
[[Category:SelfContainedChange]]
<!-- [[Category:SystemWideChange]] -->

Latest revision as of 12:21, 4 November 2017

Switch libcurl back to OpenSSL

Summary

libcurl in Fedora currently uses the NSS (Network Security Services) library for TLS and cryptography. After implementing this change, libcurl will use OpenSSL instead of NSS.

Owner

  • Name: Kamil Dudka
  • Email: kdudka@redhat.com
  • Release notes owner: N/A
  • FESCo shepherd: N/A
  • Product: Fedora
  • Responsible WG: kdudka


Current status

  • Targeted release: Fedora 27
  • Last updated: 2017-11-04
  • Tracker bug: #1445153

Detailed Description

In order to make even smaller Fedora base images, it was proposed to switch libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which motivated the switch of libcurl from OpenSSL to NSS ten years ago, is now deprecated and libcurl is the only package that pulls NSS as its dependency into the Fedora base image. Hence, by switching libcurl back to OpenSSL, we could create Fedora base image that contains fewer crypto libraries inside.


Benefit to Fedora

Smaller base image, fewer crypto libraries inside.

Scope

  • Proposal owners: kdudka (will push the following patch: https://src.fedoraproject.org/cgit/rpms/curl.git/commit/?id=7c3b67bb and rebuild curl)
  • Other developers: psabata, ignatenko, sgallagh (will help to resolve possible breakages caused by the patch)
  • Release engineering: No action from release engineering is needed for this change (libcurl ABI is kept).
  • Policies and guidelines: unaffected
  • Trademark approval: not needed

Upgrade/compatibility impact

  • Firefox certificate database can no longer be used by (lib)curl-based applications.
  • Existing certificate databases need to be dumped to files to be used by (lib)curl.

How To Test

All direct and indirect dependencies of libcurl (including 3rd party SW) should be tested. No special HW is needed, assuming that OpenSSL itself is tested.

User Experience

See Upgrade/compatibility impact above.

Dependencies

dnf, librepo, systemd, git, etc.

Contingency Plan

  • Contingency mechanism: switch libcurl back to NSS
  • Contingency deadline: Fedora 27 Alpha freeze
  • Blocks release? No.
  • Blocks product? No.

Documentation

Downstream only change. Upstream supports both the libraries.

Release Notes

libcurl will use OpenSSL for TLS and crypto (instead of NSS). TLS certificates and keys stored in NSS database need to be exported to files for libcurl to be able to load them.

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/libcurlBackToOpenSSL&oldid=505024"