apr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <wr...@rowe-clan.net>
Subject Re: apr_crypto API review
Date Fri, 16 Oct 2009 16:10:20 GMT
Joe Orton wrote:
> ** Is the caller of this code expected to be crypto-toolkit agnostic or 
> not?  I am struggling to imagine in Fedora, why we'd want to build 
> APR(-util) with support for *both* crypto toolkits at run-time.  Why not 
> just pick one at build time, like every other project in the entire 
> world does?

They must be for using the API.  If they want to then do something 'more' and
address a toolkit directly, that's their perogative, but not something we should
even get involved in or claim to support (same issue as svn bdb assumptions).

Five practical illustrations related to httpd on win32 out of the box;

 * ht* support should not bind to/load into process the crypto/ssl libs, ever.
   Removing the ssl stub[s] due to local laws mustn't invalidate such programs.

 * user has desire to use ms crypto providers, support this, they must fight with
   their own registration of certs/keys in the registry.

 * user has desire to use openssl

 * user has desire to use openssl compiled as FIPS [these must be seperate libs,
   see recent dev@openssl.o discussions]

 * user has 3rd party module using nss directly, seeks to avoid incompatibilities
   (note the libld platforms suffer much worse than win32 in this respect).  I've
   seen this particular issue repeated year after year in new forms.

Fedora is relatively homogeneous so I doubt it would benefit, but again we can
offer the disable dso support flags for platforms who rather build in that manner.

View raw message