I can be quite difficult to read for what concerns alternative approaches to the same problem; while I find software diversity to be an integral part of the Free Software ideal and very helpful to find the best approach to various situations, I also am not keen on maintaining the same code many time because of that, and I’d rather have projects to share the same code to do the same task. This is why I think using FFmpeg for almost all the multimedia projects in the Free Software world is a perfectly good thing.
Yesterday, while trying to debug (with the irreplaceable help of Jürgen) a problem I was having with Gwibber (which turned out to be an out-of-date ca-certificates
tree), I noted one strange thing with pycurl, related to this fact, that proves my point to a point.
CURL can make use of SSL/TLS encryption using one out of three possible libraries: OpenSSL, GnuTLS and Mozilla NSS. The first option is usually avoided by binary distributions because it is incompatible with some licensing terms; the third option is required for instance by the Thunderbird binary package in Gentoo as it is. By default Gentoo uses OpenSSL, that you like it or not.
When CURL is built against OpenSSL (USE="ssl -gnutls -nss"
), PyCURL linked to libcrypto; given that my system is built with forced --as-needed
, it also means it uses it. I found it quite strange so I went to look at it; if you rebuild CURL (and then PyCURL) with GnuTLS (USE="ssl gnutls -nss"
) you’ll see that it only links to libgnutls, but if you look closer, it’s using at least one libgcrypt symbol. Finally if you build it with Mozilla NSS (USE="ssl -gnutls nss"
) then it will warn that it didn’t detect the SSL library used.
The problem here is that CURL seems not to provide a total abstraction of the SSL implementation it uses, and for proper threading support, PyCURL needs to run special code for the crypto-support library (libcrypto for OpenSSL; libgcrypt for GnuTLS). I’m sincerely not sure how big the problem would be when you mix and match the CURL and PyCURL implementations, I also have no idea what would happen if you were to use CURL with NSS and PyCURL with that (which will not provide locking for crypto at all). What I can tell you, is that if you change the SSL provider in CURL, you’d better rebuild PyCURL, to be on the safe side. And there is currently no way to let Portage do that automatically for you.
And if you are using CURL with NSS and you see Portage asking you to disable it in favour of GnuTLS or OpenSSL, you’ll know why: PyCURL is likely to be your answer. At least once the bug will be addressed.
I do not totally agree with the title of your post.There is an inconveniency when some global use flag sometimes mean an alternative to achieve something and some other times the only way to achieve it.In the curl example you give, gnutls means a true alternative “Prefer gnutls over nss and openssl…” when the meaning for ssl is “enable crypto engine support via openssl…”If we look at claws-mail and several others, gnutls means the only solution for ssl support… while… the ssl flag has nothing to do with some openssl alternative as… it’s meaning is… “use gnutls for ssl…”Well OK… this one is deprecated.It is not the alternatives that are not good per se. What is not good per se is to get symbols that sometimes mean an alternative, sometimes not !With gnutls and ssl as global use flags, we could expect the ability to define a system-wide global policy which is at the end of the day impossible all this ends fiddling package.useBTW : Thank you and congratulations Diego for the content of your blog !