Hi,
usage of different crypto libraries is quite cluttered over the openSUSE distribution (actually every Linux distribution). Those include: OpenSSL Mozilla's NSS GnuTLS libgcrypt
This is caused by different things and can't be avoided but I'm still wondering about a few things:
- is there a policy which framework to use if the upstream project offers more options? - if there is no policy yet should there be one? - would it make sense to join or introduce an own project like Fedora's http://fedoraproject.org/wiki/FedoraCryptoConsolidation
Wolfgang
On Sun, Jan 04, 2009 at 11:33:48PM +0100, Wolfgang Rosenauer wrote:
Hi,
usage of different crypto libraries is quite cluttered over the openSUSE distribution (actually every Linux distribution). Those include: OpenSSL Mozilla's NSS GnuTLS libgcrypt
This is caused by different things and can't be avoided but I'm still wondering about a few things:
- is there a policy which framework to use if the upstream project offers more options?
- if there is no policy yet should there be one?
- would it make sense to join or introduce an own project like Fedora's http://fedoraproject.org/wiki/FedoraCryptoConsolidation
We are working this way, but slowly.
Mozilla NSS is the current favorite, if license permits.
Ciao, Marcus
Marcus Meissner escribió:
Mozilla NSS is the current favorite, if license permits.
Looks like openSSL is prefered by most proyects though.
On Sun, 2009-01-04 at 23:30 -0300, Cristian Rodríguez wrote:
Looks like openSSL is prefered by most proyects though.
openSSL is not compatible with the GPL.
Hub
On Sun, Jan 04, 2009 at 11:08:00PM -0500, Hubert Figuiere wrote:
On Sun, 2009-01-04 at 23:30 -0300, Cristian Rodríguez wrote:
Looks like openSSL is prefered by most proyects though.
openSSL is not compatible with the GPL.
It can be made compatible by a license exception clause in the project that use it.
In the end they all seem to such somehow. :/
Ciao, Marcus
Hi,
Marcus Meissner schrieb:
On Sun, Jan 04, 2009 at 11:33:48PM +0100, Wolfgang Rosenauer wrote:
Hi,
usage of different crypto libraries is quite cluttered over the openSUSE distribution (actually every Linux distribution).
This is caused by different things and can't be avoided but I'm still wondering about a few things:
- is there a policy which framework to use if the upstream project offers more options?
- if there is no policy yet should there be one?
- would it make sense to join or introduce an own project like Fedora's http://fedoraproject.org/wiki/FedoraCryptoConsolidation
We are working this way, but slowly.
Is there any (public) document about it or just internal discussion?
Mozilla NSS is the current favorite, if license permits.
I just found http://en.opensuse.org/Packaging/Security_Policies where it is mentioned as preferred, too. The license should be fine for most cases and the feature set looks like it is a good choice. Upstream adoption for OSS software is not that high compared to OpenSSL though but it seems that Fedora is doing some work to make it available as option in popular applications.
The reason I was asking is because I've picked up some work from hpj to make it possible to share a user's global NSS database between most of the applications using NSS' certstore including all Mozilla projects and Evolution for now. Using the OBS mozilla repository on 11.1 (and above) implements that optional feature (evolution in 11.1 is also already enabled). That feature is still a bit experimental since it's not exercised much anywhere yet and there is a bit more to come as for example a system wide database which can be controlled by root and is used in addition to the user's database. I'm also planning to create a simple GUI application to manage the user's (or system's) global certstore (w/o using the one in Firefox).
Wolfgang
T24gU3VuLCBKYW4gNCwgMjAwOSBhdCAxMDowOCBQTSwgSHViZXJ0IEZpZ3VpZXJlIDxoZmlndWllcmVAbm92ZWxsLmNvbT4gd3JvdGU6Cj4gT24gU3VuLCAyMDA5LTAxLTA0IGF0IDIzOjMwIC0wMzAwLCBDcmlzdGlhbiBSb2Ryw61ndWV6IHdyb3RlOgo+PiBMb29rcyBsaWtlIG9wZW5TU0wgaXMgcHJlZmVyZWQgYnkgbW9zdCBwcm95ZWN0cyB0aG91Z2guCj4KPiBvcGVuU1NMIGlzIG5vdCBjb21wYXRpYmxlIHdpdGggdGhlIEdQTC4KCkkgZG9uJ3QgdGhpbmsgbGljZW5zaW5nIGlzIHRoZSBpc3N1ZSBhdCBoYW5kLgoKVGhlIG1vcmUgcHJ1ZGVudCB0aGluZyBpcywgaXMgaXQgdGhlIGJlc3QgY3J5cHRvIHNvbHV0aW9uIGF2YWlsYWJsZT8KClRoZSBhbnN3ZXIgaXMgYSByZXNvdW5kaW5nICJpdCdzIHRoZSBtb3N0IFBPUFVMQVIuLiIgLSBub3QgbmVjZXNzYXJpbHkKdGhlIGJlc3QuIExpa2UgdGhlIEZlZG9yYSBwYWdlIHNheXMsIE5TUyBnb3QgY2VydGlmaWNhdGlvbiBmb3VyIHRpbWVzLgpDb3VudCB0aGUgbnVtYmVyIG9mIHRpbWVzIE9wZW5TU0wgZ290IGl0LiBOU1MgYWxzbyBoYXMgbW9yZSBmZWF0dXJlcwo6RAoKTm93LCBpZiB5b3UgaGF2ZSBzb21ldGhpbmcgbGlrZSBhIGNvbnNvbGlkYXRlZCBjcnlwdG9ncmFwaHkgdG9vbGtpdAooQ3J5cHRvS2l0IGlmIHlvdSB3aWxsKSB0aGVuIGl0IG1heSB3ZWxsIGJlIGJhc2VkIG9uIE5TUyBhbmQgZG8gYWxsCml0J3Mga2V5IGdlbmVyYXRpb24sIGF1dGhlbnRpY2F0aW9uLCBldGMuIGFuZCBoYXZlIGFzIG1hbnkgZ3JlYXQKZmVhdHVyZXMgYXMgcG9zc2libGUgKHBhbSwgc21hcnRjYXJkcywgc2luZ2xlIGtleWNoYWluKSAtIGhvd2V2ZXIgaXQKd291bGQgYWxzbywganVzdCBsaWtlIFBhY2thZ2VLaXQgZG9lcywgaG9wZWZ1bGx5IGJyaWRnZSB0aGUgZ2FwCmJldHdlZW4gYWxsIHRoZSBPVEhFUiBjcnlwdG9ncmFwaHkgc3VpdGVzLiBBcHBzIGNvdWxkIG1vdmUgdG8gdXNpbmcKQ3J5cHRvS2l0IHRvIHNlY3VyZSBhIGNvbm5lY3Rpb24sIGFuZCByZWx5IG9uIGEgc3RhbmRhcmQsCmRlc2t0b3AtaW5kZXBlbmRlbnQgYW5kIGRpc3RyaWJ1dGlvbi1pbmRlcGVuZGVudCBjcnlwdG9ncmFwaHkgc3VpdGUuCgpQbHVzLCBpdCdzIG5vdCBoYXJkIHRvIG1ha2UgYW4gT3BlblNTTCB3b3JrYWxpa2UgdGhhdCBzaW1wbHkgd3JhcHMgTlNTCmZ1bmN0aW9uYWxpdHkuIE9yIGFueSBvZiB0aG9zZSBsaWJyYXJpZXMuIE9yIGluIGV4dHJlbWUgY2FzZXMsIHBvcnQgYW4KYXBwIHRvIE5TUy4gT3IgaGF2ZSBDcnlwdG9LaXQgZXhwb3J0IGFsbCB0aGUga2V5cyB0byBPcGVuU1NMIHdoZW4gdGhleQpnZXQgaW1wb3J0ZWQgaW50byBOU1MsIGFuZCBtYW5hZ2UgdGhlIHRyYW5zaXRpb24uIFRoZSBpZGVhIGlzIHRoYXQKYW55dGhpbmcgcmVxdWlyaW5nIGNyZWRlbnRpYWxzIGNhbiByZWx5IG9uIGEgc3RhbmRhcmQgYmFja2VuZCBsaWtlCkNyeXB0b0tpdCwgYW5kIHNlY3VyaW5nIG5ldHdvcmsgdHJhZmZpYyBiZXR3ZWVuIGltcG9ydGFudCBhcHBzIGNhbiBiZQpkb25lIHVzaW5nIE5TUyAoZm9yIGluc3RhbmNlIHp5cHBlcikgdGhyb3VnaCB0aGlzIHNpbmdsZSwgYWJzdHJhY3RlZAp0b29sa2l0LgoKVGhhdCdzIG5vdCB0byBzYXkgdGhhdCBpdCBpc24ndCBhIGh1Z2Ugb3ZlcmhhdWwsIGJ1dCBkYW1uIGl0IGl0J3MgbmVlZGVkLgoKLS0gCk1hdHQgU2VhbGV5IDxtYXR0QGdlbmVzaS11c2EuY29tPgpHZW5lc2ksIE1hbmFnZXIsIERldmVsb3BlciBSZWxhdGlvbnMK-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.orgFor additional commands, e-mail: opensuse-factory+help@opensuse.org
On Fri, Jan 9, 2009 at 1:00 PM, Matt Sealey matt@genesi-usa.com wrote:
That's not to say that it isn't a huge overhaul, but damn it it's needed.
Last line was meant to be ", license be damned" :D
On Sun, 2009-01-04 at 23:33 +0100, Wolfgang Rosenauer wrote:
- is there a policy which framework to use if the upstream project offers more options?
- if there is no policy yet should there be one?
- would it make sense to join or introduce an own project like Fedora's http://fedoraproject.org/wiki/FedoraCryptoConsolidation
In case you haven't already found it (our wiki is hard to search - looking for "cert" or "cert store" didn't turn up anything for me), here's a slightly outdated doc I've worked on:
http://en.opensuse.org/SharedCertStore
It touches on the "which crypto stack" topic. I favor NSS myself, due to its degree of deployment, FIPS certification and license.
Hans Petter Jansson schrieb:
On Sun, 2009-01-04 at 23:33 +0100, Wolfgang Rosenauer wrote:
- is there a policy which framework to use if the upstream project offers more options?
- if there is no policy yet should there be one?
- would it make sense to join or introduce an own project like Fedora's http://fedoraproject.org/wiki/FedoraCryptoConsolidation
In case you haven't already found it (our wiki is hard to search - looking for "cert" or "cert store" didn't turn up anything for me), here's a slightly outdated doc I've worked on:
Thanks for the hint. I haven't seen that yet. BTW: about the certificate management GUI I've made a POC XUL application using xulrunner's/firefox' certificate manager as a standalone xul application. The solution is currently not really nice and has some issues which are not that easy to solve but in theory it's possible. But reusing Evolution's dialogs could also be an option.
I also was thinking to create a short HOWTO how the shared database need to be enabled for the applications which are prepared to get some more testing.
Wolfgang
On Mon, 2009-01-12 at 23:15 +0100, Wolfgang Rosenauer wrote:
Hans Petter Jansson schrieb:
Thanks for the hint. I haven't seen that yet.
You're welcome to edit it as you see fit. As I said, it isn't completely up to date and needs someone to care for it. So if you've got the time... ;)
BTW: about the certificate management GUI I've made a POC XUL application using xulrunner's/firefox' certificate manager as a standalone xul application. The solution is currently not really nice and has some issues which are not that easy to solve but in theory it's possible. But reusing Evolution's dialogs could also be an option.
If it can all be done in XUL and you're comfortable with that, I think it sounds like a good option, at least for now.
I also was thinking to create a short HOWTO how the shared database need to be enabled for the applications which are prepared to get some more testing.
Anything I can help with there? As far as I can see, there isn't really a whole lot of user- or admin-facing stuff to document...
-
Cristian Rodríguez -
Hans Petter Jansson -
Hubert Figuiere -
Marcus Meissner -
Matt Sealey -
Wolfgang Rosenauer