Re: Support for NSS as a libpq TLS backend
Stephen Frost <sfrost@snowman.net>
From: Stephen Frost <sfrost@snowman.net>
To: Daniel Gustafsson <daniel@yesql.se>
Cc: Robert Haas <robertmhaas@gmail.com>, Andres Freund <andres@anarazel.de>, Julien Rouhaud <rjuju123@gmail.com>, Jacob Champion <pchampion@vmware.com>, "pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>, "hlinnaka@iki.fi" <hlinnaka@iki.fi>, "andrew.dunstan@2ndquadrant.com" <andrew.dunstan@2ndquadrant.com>, "michael@paquier.xyz" <michael@paquier.xyz>, "thomas.munro@gmail.com" <thomas.munro@gmail.com>
Date: 2022-02-01T20:12:28Z
Lists: pgsql-hackers
Greetings, * Daniel Gustafsson (daniel@yesql.se) wrote: > > On 31 Jan 2022, at 22:48, Daniel Gustafsson <daniel@yesql.se> wrote: > >> On 31 Jan 2022, at 17:24, Stephen Frost <sfrost@snowman.net> wrote: > > >> I agree that it's concerning to hear that OpenLDAP dropped support for > >> NSS... though I don't seem to be able to find any information as to why > >> they decided to do so. > > > > I was also unable to do that. There is no information that I could see in > > either the commit message, Bugzilla entry (#9207) or on the mailinglist. > > Searching the web didn't yield anything either. I've reached out to hopefully > > get a bit more information. > > Support issues and Red Hat dropping OpenLDAP was cited [0] as the main drivers > for dropping NSS. That's both very vaugue and oddly specific, I have to say. Also, not really sure that it's a good reason for other projects to move away, or for the large amount of work put into this effort to be thrown out when it seems to be quite close to finally being done and giving us an alternative, supported and maintained, TLS/SSL library. The concern about the documentation not being easily available is certainly something to consider. I remember in prior reviews not having that much difficulty looking up documentation for functions, and in doing some quick looking around there's certainly some (most?) of the NSS documentation still up, the issue is that the NSPR documentation was taken off of the MDN website and that's referenced from the NSS pages and is obviously something that folks working with NSS need to be able to find the documentation for too. All that said, while have documentation on the web is nice and all, it seems to still be in the source, at least when I grabbed NSPR locally with apt-get source and looked at PR_Recv, I found: /* ************************************************************************* * FUNCTION: PR_Recv * DESCRIPTION: * Receive a specified number of bytes from a connected socket. * The operation will block until some positive number of bytes are * transferred, a time out has occurred, or there is an error. * No more than 'amount' bytes will be transferred. * INPUTS: * PRFileDesc *fd * points to a PRFileDesc object representing a socket. * void *buf * pointer to a buffer to hold the data received. * PRInt32 amount * the size of 'buf' (in bytes) * PRIntn flags * must be zero or PR_MSG_PEEK. * PRIntervalTime timeout * Time limit for completion of the receive operation. * OUTPUTS: * None * RETURN: PRInt32 * a positive number indicates the number of bytes actually received. * 0 means the network connection is closed. * -1 indicates a failure. The reason for the failure is obtained * by calling PR_GetError(). ************************************************************************** */ So, it's not the case that the documentation is completely gone and utterly unavailable to those who are interested in it, it's just in the source rather than being on a nicely formatted webpage. One can find it on the web too, naturally: https://github.com/thespooler/nspr/blob/29ba433ebceda269d2b0885176b7f8cd4c5c2c52/pr/include/prio.h#L1424 (no idea what version that is, just found a random github repo with it, but wouldn't be hard to import the latest version). Considering how much we point people to our source when they're writing extensions and such, this doesn't strike me as quite the dire situation that it first appeared to be based on the initial comments. There is documentation, it's not actually that hard to find if you're working with the library, and the maintainers have stated their intention to work on improving the web-based documentation. Thanks, Stephen
Commits
-
Add tab-completion for CREATE FOREIGN TABLE.
- 74527c3e022d 15.0 cited
-
Add tap tests for the schema publications.
- 6b0f6f79eef2 15.0 cited
-
Move Perl test modules to a better namespace
- b3b4d8e68ae8 15.0 cited
-
Adjust configure to insist on Perl version >= 5.8.3.
- 92e6a98c3636 15.0 cited
-
Simplify code related to compilation of SSL and OpenSSL
- 092b785fad3d 14.0 landed
-
Introduce --with-ssl={openssl} as a configure option
- fe61df7f82aa 14.0 landed
-
Implement support for bulk inserts in postgres_fdw
- b663a4136331 14.0 cited
-
Fix redundant error messages in client tools
- 6be725e70161 14.0 cited
-
doc: Apply more consistently <productname> markup for OpenSSL
- 089da3c4778f 14.0 landed
-
Check ssl_in_use flag when reporting statistics
- 6a5c750f3f72 14.0 cited