Re: [Bug-wget] let's fix the openssl backend once and for all

[Tim Rühsen]

Am Freitag, 31. Oktober 2014, 11:00:00 schrieb Giuseppe Scrivano:
> Darshit Shah <address@hidden> writes:
> > On Thu, Oct 30, 2014 at 4:48 PM, Giuseppe Scrivano <address@hidden> 
wrote:
> >> Tim Rühsen <address@hidden> writes:
> >>> as I wrote to Mike: It is the OpenSSL code within Wget. Wget compiled
> >>> with
> >>> GnuTLS does not show any problems.
> >> 
> >> and this remembers us that maintaining two different backends is not a
> >> good idea.  I am for just moving to GNU TLS and forget about OpenSSL.
> >> It is a bit drastic but I think it is a better move for the long term.
> >> And we get rid of the copyright exception as well...
> >> 
> >> What you all think?
> > 
> > I think OpenSSL is being used by way too many of our users as a SSL
> > backend and that we should continue to support it. Despite what the
> > project aimed for, GNUTLS has not managed to gain the adoption /
> > popularity that OpenSSL enjoys. In my opinion, we should clean up our
> > code-base and ensure that everything works with a good set of unit
> > tests.
> > 
> > Maintaining two backends for OpenSSL and GNUTLS may be difficult, but
> > it is something we must work with. More people use Wget with the
> > OpenSSL backend than the number of people who use Wget on WIndows +
> > VMS. Yet we continue to support those architectures and want to
> > eliminate OpenSSL? Yes, it's hard, but we only need to up the ante and
> > clean up the code base, not run away from the real problem and simply
> > drop OpenSSL.
> 
> yes, but in the OpenSSL vs GnuTLS case they have only to change a
> library and they will have the same functionalities, while dropping
> support for Windows or VMS means not offering any alternative to these
> users.
> 
> What do you think about the idea Daniel proposed on this same thread?

For the whole developer community it would be a big benefit, no doubt.
But the work has to be done by someone... Daniel knows how much it is before 
such a library finds it's way into the distributions.

Let's see, if there is someone who wants to do the work (well, I guess there 
will be much support by developers).
We could say for the moment we stay with GnuTLS and OpenSSL and ask the drop 
question in a year or so again. At least not rush a decision.

BTW, today I found out that valgrind actually reports false positives when 
using (some functionality of) OpenSSL. There are some documents in the net 
regarding this problem (OpenSSL reads uninitialized memory to get more 
entropy). I'll come up with a post on this, not mixing topics here.

Tim

signature.asc
Description: This is a digitally signed message part.