| From: | Daniel Gustafsson <daniel(at)yesql(dot)se> |
|---|---|
| To: | Bruce Momjian <bruce(at)momjian(dot)us> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Peter Eisentraut <peter(dot)eisentraut(at)enterprisedb(dot)com>, Andres Freund <andres(at)anarazel(dot)de>, Julien Rouhaud <rjuju123(at)gmail(dot)com>, Jacob Champion <pchampion(at)vmware(dot)com>, "pgsql-hackers(at)lists(dot)postgresql(dot)org" <pgsql-hackers(at)lists(dot)postgresql(dot)org>, "hlinnaka(at)iki(dot)fi" <hlinnaka(at)iki(dot)fi>, "andrew(dot)dunstan(at)2ndquadrant(dot)com" <andrew(dot)dunstan(at)2ndquadrant(dot)com>, "michael(at)paquier(dot)xyz" <michael(at)paquier(dot)xyz>, "thomas(dot)munro(at)gmail(dot)com" <thomas(dot)munro(at)gmail(dot)com>, "sfrost(at)snowman(dot)net" <sfrost(at)snowman(dot)net> |
| Subject: | Re: Support for NSS as a libpq TLS backend |
| Date: | 2022-02-04 19:48:52 |
| Message-ID: | C17CDB6F-5C8F-481A-A7D0-BA62FD005957@yesql.se |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
> On 4 Feb 2022, at 19:22, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>
> On Thu, Feb 3, 2022 at 02:33:37PM -0500, Robert Haas wrote:
>> As a philosophical matter, I don't think it's great for us - or the
>> Internet in general - to be too dependent on OpenSSL. Software
>> monocultures are not great, and OpenSSL has near-constant security
>> updates and mediocre documentation. Now, maybe anything else we
>
> I don't think it is fair to be criticizing OpenSSL for its mediocre
> documentation when the alternative being considered, NSS, has no public
> documentation. Can the source-code-defined NSS documentation..
Not that it will shift the needle either way, but to give credit where credit
is due:
Both NSS and NSPR are documented, and have been since they were published by
Netscape in 1998. The documentation does lack things, and some parts are quite
out of date. That's true and undisputed even by the projects themselves who
state this: "It currently is very deprecated and likely incorrect or broken in
many places".
The recent issue was that Mozilla decided to remove all 3rd party projects (why
they consider their own code 3rd party is a mystery to me) from their MDN site,
and so NSS and NSPR were deleted with no replacement. This was said to be
worked on but didn't happen and no docs were imported into the tree. When
Daniel from curl (the other one, not I) complained, this caused enough momentum
to get this work going and it's now been "done".
NSS: https://firefox-source-docs.mozilla.org/security/nss/
NSPR: https://firefox-source-docs.mozilla.org/nspr/
I am writing done above in quotes, since the documentation also needs to be
updated, completed, rewritten, organized etc etc. The above is an import of
what was found, and is in a fairly poor state. Unfortunately, it's still not
in the tree where I personally believe documentation stands the best chance of
being kept up to date. The NSPR documentation is probably the best of the two,
but it's also much less of a moving target.
It is true that the documentation is poor and currently in bad shape with lots
of broken links and heavily disorganized etc. It's also true that I managed to
implement full libpq support without any crystal ball or help from the NSS
folks. The latter doesn't mean we can brush documentation concerns aside, but
let's be fair in our criticism.
> ..be considered better than the mediocre OpenSSL public documentation?
OpenSSL has gotten a lot better in recent years, it's still not great or where
I would like it to be, but a lot better.
--
Daniel Gustafsson https://vmware.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2022-02-04 19:57:51 | Re: Support for NSS as a libpq TLS backend |
| Previous Message | Robert Haas | 2022-02-04 19:45:36 | Re: Removing more vacuumlazy.c special cases, relfrozenxid optimizations |