Date: prev next · Thread: first prev next last
2015 Archives by date, by thread · List index


On 18.08.2015 18:03, Giuseppe Castagno wrote:
Hi Michael,

On 08/18/2015 03:16 PM, Michael Stahl wrote:
On 13.08.2015 17:32, Giuseppe Castagno wrote:
Starting from V. 1.3.0 serf uses scons build system, not configure/make.

oh.... well there had to be a catch... i believe we don't have anything
with scons currently, so it remains to be seen if and how that will
support finding our bundled libraries instead of system libraries,
building on Windows with MSVC (and using debug runtimes with
--enable-dbgutil), cross-compiling for Android/iOS, etc.

to be able to compile serf-1.3.8 I rewrote the way it's built: 
practically writing a make specific for Windows, in Linux I used scons 
instead.

To use scons in Windows+cygwin+MSCV proved to be a nightmare.

i was afraid so :(

In short reworking all this for LO can be a difficult task.

Michael, in Sept 30th, ESC [1], you asked why not curl instead of serf.

The reason you asked it's because is in the codebase, and it uses NSS, 
right?
Other reasons I don't know?

yes ... so basically one of the big problems i see with our (TDF) builds
is that they bundle 2 cryptographic libraries: OpenSSL and NSS.  both of
these have remarkably awful build systems, and remarkable number of
serious CVEs so need regular updating.

OpenSSL has the additional problem with its very badly designed and
volatile ABI that on Linux you basically have to link it statically to
prevent conflicts with system OpenSSL due to ELF global symbol
namespace, and that adds at least ~1.5 MB to every library that uses it;
currently there are 3 users neon, python ssl module and postgresql
(everything else uses NSS).

but ideally we should be bundling 0 crypto libraries, because another
problem with these is that they bundle their own database of trusted PKI
CA certificates.  i am of the opinion that we (TDF) don't currently have
the resources or qualification to assess which CAs should or should not
be trusted, and therefore we shouldn't bundle such databases at all - we
should defer to the operating system's CA databases instead, and thereby
also give the user an UI (built into the OS) where they can add or
remove trusted CAs (we don't have such UI for the bundled certificates
so they are effectively hard-coded).

i like curl a lot because it can actually use the OS native crypto
libraries and CA databases on Windows (/DUSE_WINDOWS_SSPI), Darwin
(--with-darwinssl) and Linux (--with-nss/--with-gnutls/--with-openssl);
since LO~4.2 we actually use these options on Windows and MacOSX and it
seems to work.

Briefly searching in LO I found curl is used in cmis, where it does a 
similar task as it would be requested in WebDAV.

yes and i believe ftp UCP and the online update also use curl.




Context


Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.