On Sun, 2009-01-04 at 23:30 -0300, Cristian Rodríguez wrote:

Looks like openSSL is prefered by most proyects though.

openSSL is not compatible with the GPL. Hub -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

T24gU3VuLCBKYW4gNCwgMjAwOSBhdCAxMDowOCBQTSwgSHViZXJ0IEZpZ3VpZXJlIDxoZmlndWllcmVAbm92ZWxsLmNvbT4gd3JvdGU6Cj4gT24gU3VuLCAyMDA5LTAxLTA0IGF0IDIzOjMwIC0wMzAwLCBDcmlzdGlhbiBSb2Ryw61ndWV6IHdyb3RlOgo+PiBMb29rcyBsaWtlIG9wZW5TU0wgaXMgcHJlZmVyZWQgYnkgbW9zdCBwcm95ZWN0cyB0aG91Z2guCj4KPiBvcGVuU1NMIGlzIG5vdCBjb21wYXRpYmxlIHdpdGggdGhlIEdQTC4KCkkgZG9uJ3QgdGhpbmsgbGljZW5zaW5nIGlzIHRoZSBpc3N1ZSBhdCBoYW5kLgoKVGhlIG1vcmUgcHJ1ZGVudCB0aGluZyBpcywgaXMgaXQgdGhlIGJlc3QgY3J5cHRvIHNvbHV0aW9uIGF2YWlsYWJsZT8KClRoZSBhbnN3ZXIgaXMgYSByZXNvdW5kaW5nICJpdCdzIHRoZSBtb3N0IFBPUFVMQVIuLiIgLSBub3QgbmVjZXNzYXJpbHkKdGhlIGJlc3QuIExpa2UgdGhlIEZlZG9yYSBwYWdlIHNheXMsIE5TUyBnb3QgY2VydGlmaWNhdGlvbiBmb3VyIHRpbWVzLgpDb3VudCB0aGUgbnVtYmVyIG9mIHRpbWVzIE9wZW5TU0wgZ290IGl0LiBOU1MgYWxzbyBoYXMgbW9yZSBmZWF0dXJlcwo6RAoKTm93LCBpZiB5b3UgaGF2ZSBzb21ldGhpbmcgbGlrZSBhIGNvbnNvbGlkYXRlZCBjcnlwdG9ncmFwaHkgdG9vbGtpdAooQ3J5cHRvS2l0IGlmIHlvdSB3aWxsKSB0aGVuIGl0IG1heSB3ZWxsIGJlIGJhc2VkIG9uIE5TUyBhbmQgZG8gYWxsCml0J3Mga2V5IGdlbmVyYXRpb24sIGF1dGhlbnRpY2F0aW9uLCBldGMuIGFuZCBoYXZlIGFzIG1hbnkgZ3JlYXQKZmVhdHVyZXMgYXMgcG9zc2libGUgKHBhbSwgc21hcnRjYXJkcywgc2luZ2xlIGtleWNoYWluKSAtIGhvd2V2ZXIgaXQKd291bGQgYWxzbywganVzdCBsaWtlIFBhY2thZ2VLaXQgZG9lcywgaG9wZWZ1bGx5IGJyaWRnZSB0aGUgZ2FwCmJldHdlZW4gYWxsIHRoZSBPVEhFUiBjcnlwdG9ncmFwaHkgc3VpdGVzLiBBcHBzIGNvdWxkIG1vdmUgdG8gdXNpbmcKQ3J5cHRvS2l0IHRvIHNlY3VyZSBhIGNvbm5lY3Rpb24sIGFuZCByZWx5IG9uIGEgc3RhbmRhcmQsCmRlc2t0b3AtaW5kZXBlbmRlbnQgYW5kIGRpc3RyaWJ1dGlvbi1pbmRlcGVuZGVudCBjcnlwdG9ncmFwaHkgc3VpdGUuCgpQbHVzLCBpdCdzIG5vdCBoYXJkIHRvIG1ha2UgYW4gT3BlblNTTCB3b3JrYWxpa2UgdGhhdCBzaW1wbHkgd3JhcHMgTlNTCmZ1bmN0aW9uYWxpdHkuIE9yIGFueSBvZiB0aG9zZSBsaWJyYXJpZXMuIE9yIGluIGV4dHJlbWUgY2FzZXMsIHBvcnQgYW4KYXBwIHRvIE5TUy4gT3IgaGF2ZSBDcnlwdG9LaXQgZXhwb3J0IGFsbCB0aGUga2V5cyB0byBPcGVuU1NMIHdoZW4gdGhleQpnZXQgaW1wb3J0ZWQgaW50byBOU1MsIGFuZCBtYW5hZ2UgdGhlIHRyYW5zaXRpb24uIFRoZSBpZGVhIGlzIHRoYXQKYW55dGhpbmcgcmVxdWlyaW5nIGNyZWRlbnRpYWxzIGNhbiByZWx5IG9uIGEgc3RhbmRhcmQgYmFja2VuZCBsaWtlCkNyeXB0b0tpdCwgYW5kIHNlY3VyaW5nIG5ldHdvcmsgdHJhZmZpYyBiZXR3ZWVuIGltcG9ydGFudCBhcHBzIGNhbiBiZQpkb25lIHVzaW5nIE5TUyAoZm9yIGluc3RhbmNlIHp5cHBlcikgdGhyb3VnaCB0aGlzIHNpbmdsZSwgYWJzdHJhY3RlZAp0b29sa2l0LgoKVGhhdCdzIG5vdCB0byBzYXkgdGhhdCBpdCBpc24ndCBhIGh1Z2Ugb3ZlcmhhdWwsIGJ1dCBkYW1uIGl0IGl0J3MgbmVlZGVkLgoKLS0gCk1hdHQgU2VhbGV5IDxtYXR0QGdlbmVzaS11c2EuY29tPgpHZW5lc2ksIE1hbmFnZXIsIERldmVsb3BlciBSZWxhdGlvbnMK-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.orgFor additional commands, e-mail: opensuse-factory+help@opensuse.org

Hi, Marcus Meissner schrieb:

On Sun, Jan 04, 2009 at 11:33:48PM +0100, Wolfgang Rosenauer wrote:

...

Hi,

usage of different crypto libraries is quite cluttered over the openSUSE distribution (actually every Linux distribution).

This is caused by different things and can't be avoided but I'm still wondering about a few things:

- is there a policy which framework to use if the upstream project offers more options? - if there is no policy yet should there be one? - would it make sense to join or introduce an own project like Fedora's http://fedoraproject.org/wiki/FedoraCryptoConsolidation

We are working this way, but slowly.

Is there any (public) document about it or just internal discussion?

Mozilla NSS is the current favorite, if license permits.

I just found http://en.opensuse.org/Packaging/Security_Policies where it is mentioned as preferred, too. The license should be fine for most cases and the feature set looks like it is a good choice. Upstream adoption for OSS software is not that high compared to OpenSSL though but it seems that Fedora is doing some work to make it available as option in popular applications. The reason I was asking is because I've picked up some work from hpj to make it possible to share a user's global NSS database between most of the applications using NSS' certstore including all Mozilla projects and Evolution for now. Using the OBS mozilla repository on 11.1 (and above) implements that optional feature (evolution in 11.1 is also already enabled). That feature is still a bit experimental since it's not exercised much anywhere yet and there is a bit more to come as for example a system wide database which can be controlled by root and is used in addition to the user's database. I'm also planning to create a simple GUI application to manage the user's (or system's) global certstore (w/o using the one in Firefox). Wolfgang -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Hans Petter Jansson schrieb:

On Sun, 2009-01-04 at 23:33 +0100, Wolfgang Rosenauer wrote:

...

- is there a policy which framework to use if the upstream project offers more options? - if there is no policy yet should there be one? - would it make sense to join or introduce an own project like Fedora's http://fedoraproject.org/wiki/FedoraCryptoConsolidation

In case you haven't already found it (our wiki is hard to search - looking for "cert" or "cert store" didn't turn up anything for me), here's a slightly outdated doc I've worked on:

http://en.opensuse.org/SharedCertStore

Thanks for the hint. I haven't seen that yet. BTW: about the certificate management GUI I've made a POC XUL application using xulrunner's/firefox' certificate manager as a standalone xul application. The solution is currently not really nice and has some issues which are not that easy to solve but in theory it's possible. But reusing Evolution's dialogs could also be an option. I also was thinking to create a short HOWTO how the shared database need to be enabled for the applications which are prepared to get some more testing. Wolfgang -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org