Re: Support for NSS as a libpq TLS backend
Daniel Gustafsson <daniel@yesql.se>
From: Daniel Gustafsson <daniel@yesql.se>
To: Bruce Momjian <bruce@momjian.us>
Cc: Robert Haas <robertmhaas@gmail.com>,
Peter Eisentraut <peter.eisentraut@enterprisedb.com>,
Andres Freund <andres@anarazel.de>,
Julien Rouhaud <rjuju123@gmail.com>,
Jacob Champion <pchampion@vmware.com>,
"pgsql-hackers@lists.postgresql.org" <pgsql-hackers@lists.postgresql.org>,
"hlinnaka@iki.fi" <hlinnaka@iki.fi>,
"andrew.dunstan@2ndquadrant.com" <andrew.dunstan@2ndquadrant.com>,
"michael@paquier.xyz" <michael@paquier.xyz>,
"thomas.munro@gmail.com" <thomas.munro@gmail.com>,
"sfrost@snowman.net" <sfrost@snowman.net>
Date: 2022-02-04T19:48:52Z
Lists: pgsql-hackers
> On 4 Feb 2022, at 19:22, Bruce Momjian <bruce@momjian.us> wrote: > > On Thu, Feb 3, 2022 at 02:33:37PM -0500, Robert Haas wrote: >> As a philosophical matter, I don't think it's great for us - or the >> Internet in general - to be too dependent on OpenSSL. Software >> monocultures are not great, and OpenSSL has near-constant security >> updates and mediocre documentation. Now, maybe anything else we > > I don't think it is fair to be criticizing OpenSSL for its mediocre > documentation when the alternative being considered, NSS, has no public > documentation. Can the source-code-defined NSS documentation.. Not that it will shift the needle either way, but to give credit where credit is due: Both NSS and NSPR are documented, and have been since they were published by Netscape in 1998. The documentation does lack things, and some parts are quite out of date. That's true and undisputed even by the projects themselves who state this: "It currently is very deprecated and likely incorrect or broken in many places". The recent issue was that Mozilla decided to remove all 3rd party projects (why they consider their own code 3rd party is a mystery to me) from their MDN site, and so NSS and NSPR were deleted with no replacement. This was said to be worked on but didn't happen and no docs were imported into the tree. When Daniel from curl (the other one, not I) complained, this caused enough momentum to get this work going and it's now been "done". NSS: https://firefox-source-docs.mozilla.org/security/nss/ NSPR: https://firefox-source-docs.mozilla.org/nspr/ I am writing done above in quotes, since the documentation also needs to be updated, completed, rewritten, organized etc etc. The above is an import of what was found, and is in a fairly poor state. Unfortunately, it's still not in the tree where I personally believe documentation stands the best chance of being kept up to date. The NSPR documentation is probably the best of the two, but it's also much less of a moving target. It is true that the documentation is poor and currently in bad shape with lots of broken links and heavily disorganized etc. It's also true that I managed to implement full libpq support without any crystal ball or help from the NSS folks. The latter doesn't mean we can brush documentation concerns aside, but let's be fair in our criticism. > ..be considered better than the mediocre OpenSSL public documentation? OpenSSL has gotten a lot better in recent years, it's still not great or where I would like it to be, but a lot better. -- Daniel Gustafsson https://vmware.com/
Commits
-
Add tab-completion for CREATE FOREIGN TABLE.
- 74527c3e022d 15.0 cited
-
Add tap tests for the schema publications.
- 6b0f6f79eef2 15.0 cited
-
Move Perl test modules to a better namespace
- b3b4d8e68ae8 15.0 cited
-
Adjust configure to insist on Perl version >= 5.8.3.
- 92e6a98c3636 15.0 cited
-
Simplify code related to compilation of SSL and OpenSSL
- 092b785fad3d 14.0 landed
-
Introduce --with-ssl={openssl} as a configure option
- fe61df7f82aa 14.0 landed
-
Implement support for bulk inserts in postgres_fdw
- b663a4136331 14.0 cited
-
Fix redundant error messages in client tools
- 6be725e70161 14.0 cited
-
doc: Apply more consistently <productname> markup for OpenSSL
- 089da3c4778f 14.0 landed
-
Check ssl_in_use flag when reporting statistics
- 6a5c750f3f72 14.0 cited