On Thu, Apr 06, 2017 at 05:50:16PM +0200, Miroslav Lichvar wrote: > > In order to make even smaller Fedora base images, it was proposed to switch > > libcurl back to OpenSSL. The Fedora Crypto Consolidation project, which > > motivated the switch of libcurl from OpenSSL to NSS ten years ago, is now > > deprecated and libcurl is the only package that pulls NSS as its dependency > > into the Fedora base image. Hence, by switching libcurl back to OpenSSL, we > > could create Fedora base image that contains fewer crypto libraries inside. > I'm just wondering, does this change anything from the security point > of view? Has history shown one library to be better than the other, > for instance in the number of important issues found in the TLS > implementation?
I don't think that's necessarily a great predictor of future results. However, going from two different things to just one will _definitely_ result in fewer future CVES which impact the base. > Also, wasn't there an issue with the OpenSSL's licensing and GPL? > If it still is, could it affect any of the packages that are now using > libcurl? There is this: https://www.openssl.org/blog/blog/2017/03/22/license/ -- Matthew Miller <mat...@fedoraproject.org> Fedora Project Leader _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
