From Fedora Project Wiki

Revision as of 08:25, 11 December 2017 by Jkurik (talk | contribs)

Switch libcurl to use libssh instead of libssh2

Summary

libcurl currently uses libssh2 to implement the SSH layer of SCP and SFTP protocols. After implementing this change, libcurl will use the libssh library instead.


Owner

  • Name: Kamil Dudka
  • Email: kdudka@redhat.com
  • Release notes owner: N/A
  • FESCo shepherd: N/A
  • Product: Fedora
  • Responsible WG: kdudka

Current status

  • Targeted release: Fedora 28
  • Last updated: 2017-12-11
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

libcurl currently uses libssh2 to implement the SSH layer of SCP and SFTP protocols. The libssh2 library uses outdated crypto algorithms and lacks important features like GSS-API authentication. After implementing this change, libcurl will use the libssh library instead, which is now more secure, feature-complete, and with more active upstream community.

Benefit to Fedora

  • More secure and feature-complete implementation of SCP and SFTP in (lib)curl.
  • Fewer system-critical crypto libraries to maintain.

Scope

  • Proposal owners: kdudka (will switch the SSH library in the curl package once it is supported upstream)
  • Other developers: nmav (currently working on the related pull-request with curl upstream)
  • Release engineering: No action from release engineering is needed for this change (libcurl ABI is kept), releng review requested at https://pagure.io/releng/issue/7193
  • Policies and guidelines: unaffected
  • Trademark approval: not needed

Upgrade/compatibility impact

  • This change will mainly affect applications and libraries which use implementation of the SCP or SFTP protocols in (lib)curl.

How To Test

All direct and indirect dependencies of libcurl should be tested.

User Experience

Unless the change reveals bugs elsewhere, users will not know about it.

Dependencies

anaconda, dracut, etc.

Contingency Plan

  • Contingency mechanism: switch libcurl back to libssh2
  • Contingency deadline: Fedora 28 Beta freeze
  • Blocks release? No.
  • Blocks product? No.

Documentation

Needless to document.

Release Notes

We can mention the new features (stronger crypto, GSS-API auth) in case they work as expected.