| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Andres Freund <andres(at)anarazel(dot)de>, Julien Rouhaud <rjuju123(at)gmail(dot)com>, Jacob Champion <pchampion(at)vmware(dot)com>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "hlinnaka(at)iki(dot)fi" <hlinnaka(at)iki(dot)fi>, "andrew(dot)dunstan(at)2ndquadrant(dot)com" <andrew(dot)dunstan(at)2ndquadrant(dot)com>, "michael(at)paquier(dot)xyz" <michael(at)paquier(dot)xyz>, "thomas(dot)munro(at)gmail(dot)com" <thomas(dot)munro(at)gmail(dot)com> |
| Subject: | Re: Support for NSS as a libpq TLS backend |
| Date: | 2022-01-31 16:24:54 |
| Message-ID: | 20220131162454.GS10577@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Greetings,
* Daniel Gustafsson (daniel(at)yesql(dot)se) wrote:
> > On 28 Jan 2022, at 15:30, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> > On Fri, Jan 28, 2022 at 9:08 AM Daniel Gustafsson <daniel(at)yesql(dot)se> wrote:
> >>> Kinda makes me question the wisdom of starting to depend on NSS. When openssl
> >>> docs are vastly outshining a library's, that library really should start to
> >>> ask itself some hard questions.
> >
> > Yeah, OpenSSL is very poor, so being worse is not good.
> >
> >> Sadly, there is that. While this is not a new problem, Mozilla has been making
> >> some very weird decisions around NSS governance as of late. Another data point
> >> is the below thread from libcurl:
> >>
> >> https://curl.se/mail/lib-2022-01/0120.html
> >
> > I would really, really like to have an alternative to OpenSSL for PG.
> > I don't know if this is the right thing, though. If other people are
> > dropping support for it, that's a pretty bad sign IMHO. Later in the
> > thread it says OpenLDAP have dropped support for it already as well.
>
> I'm counting this and Andres' comment as a -1 on the patchset, and given where
> we are in the cycle I'm mark it rejected in the CF app shortly unless anyone
> objects.
I agree that it's concerning to hear that OpenLDAP dropped support for
NSS... though I don't seem to be able to find any information as to why
they decided to do so. NSS is clearly still supported and maintained
and they do seem to understand that they need to work on the
documentation situation and to get that fixed (the current issue seems
to be around NSS vs. NSPR and the migration off of MDN to the in-tree
documentation as Daniel mentioned, if I followed the discussion
correctly in the bug that was filed by the curl folks and was then
actively responded to by the NSS/NSPR folks), which seems to be the main
issue that's being raised about it by the curl folks and here.
I'm also very much a fan of having an alternative to OpenSSL and the
NSS/NSPR license fits well for us, unlike the alternatives to OpenSSL
used by other projects, such as GnuTLS (which is the alternative to
OpenSSL that OpenLDAP now has) or other libraries like wolfSSL.
Beyond the documentation issue, which I agree is a concern but also
seems to be actively realized as an issue by the NSS/NSPR folks, is
there some other reason that the curl folks are thinking of dropping
support for it? Or does anyone have insight into why OpenLDAP decided
to remove support?
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Dmitry Dolgov | 2022-01-31 16:28:31 | Re: Multiple Query IDs for a rewritten parse tree |
| Previous Message | Andrew Dunstan | 2022-01-31 15:43:31 | Re: plperl on windows |