Buy commercial curl support from WolfSSL. We help you work
out your issues, debug your libcurl applications, use the API, port to new
platforms, add new features and more. With a team lead by the curl founder
himself.
Re: Has the time come to drop NSS?
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: bch via curl-library <curl-library_at_lists.haxx.se>
Date: Fri, 28 Jan 2022 00:20:16 -0800
On Thu, Jan 27, 2022 at 23:56 Daniel Stenberg via curl-library <
curl-library_at_lists.haxx.se> wrote:
> Hello,
>
> This morning we got a fresh issue [1] filed that involves the NSS library.
>
> When I started to investigate this I ran a few google searches for some of
> the
> invovled functions in NSS, such as PR_Recv, only to realize that there
> just is
> no documentation for this to be found online anymore - anywhere. At least
> my
> searches fell short. (Which made me file [2])
>
> This is not in itself an alarming situation for us right now, since we can
> still just use it like before, but to be this is a very clear sign that
> the
> NSS team doesn't even bother anymore. To me, this is a clear sign they've
> stopped caring and a message for us to reconsider if leaning on this leg
> is a
> good idea for our users. Going forward into the mist with no map is not
> the
> future I want.
Certainly their “recent releases” page doesn’t list their most recent
release either:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases
(lists 3.66 as latest, though my pkgs were recently updated to 3.74, and
things look even worse (incoherent wrt what versions are published) when
one starts following links to published wikis…)
That said, isn’t it still a (US) govt approved (FIPS[0]) piece of software,
and valuable in that way?
[0]
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/FIPS_Mode_-_an_explanation
>
> Is it time to drop support for NSS?
>
> I don't think any distribution is shipping curl build with NSS by default
> anymore. I know there still are users of it, like the issue that triggered
> me
> into this shows, but I think most users can be transitioned over to other
> TLS
> backends.
>
> Maybe we should set a date, maybe late 2022 and if things are still as
> grim-looking in NSS-land as today we then say goodbye?
>
> [1] = https://github.com/curl/curl/issues/8341
> [2] = https://github.com/mdn/content/issues/12471
>
> --
>
> / daniel.haxx.se
> | Commercial curl support up to 24x7 is available!
> | Private help, bug fixes, support, ports, new features
> | https://curl.se/support.html
> --
> Unsubscribe: https://lists.haxx.se/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html
>
Date: Fri, 28 Jan 2022 00:20:16 -0800
On Thu, Jan 27, 2022 at 23:56 Daniel Stenberg via curl-library <
curl-library_at_lists.haxx.se> wrote:
> Hello,
>
> This morning we got a fresh issue [1] filed that involves the NSS library.
>
> When I started to investigate this I ran a few google searches for some of
> the
> invovled functions in NSS, such as PR_Recv, only to realize that there
> just is
> no documentation for this to be found online anymore - anywhere. At least
> my
> searches fell short. (Which made me file [2])
>
> This is not in itself an alarming situation for us right now, since we can
> still just use it like before, but to be this is a very clear sign that
> the
> NSS team doesn't even bother anymore. To me, this is a clear sign they've
> stopped caring and a message for us to reconsider if leaning on this leg
> is a
> good idea for our users. Going forward into the mist with no map is not
> the
> future I want.
Certainly their “recent releases” page doesn’t list their most recent
release either:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Releases
(lists 3.66 as latest, though my pkgs were recently updated to 3.74, and
things look even worse (incoherent wrt what versions are published) when
one starts following links to published wikis…)
That said, isn’t it still a (US) govt approved (FIPS[0]) piece of software,
and valuable in that way?
[0]
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/FIPS_Mode_-_an_explanation
>
> Is it time to drop support for NSS?
>
> I don't think any distribution is shipping curl build with NSS by default
> anymore. I know there still are users of it, like the issue that triggered
> me
> into this shows, but I think most users can be transitioned over to other
> TLS
> backends.
>
> Maybe we should set a date, maybe late 2022 and if things are still as
> grim-looking in NSS-land as today we then say goodbye?
>
> [1] = https://github.com/curl/curl/issues/8341
> [2] = https://github.com/mdn/content/issues/12471
>
> --
>
> / daniel.haxx.se
> | Commercial curl support up to 24x7 is available!
> | Private help, bug fixes, support, ports, new features
> | https://curl.se/support.html
> --
> Unsubscribe: https://lists.haxx.se/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html
>
-- Unsubscribe: https://lists.haxx.se/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.htmlReceived on 2022-01-28