TLS Libraries

azrdev at azrdev at
Fri Jun 26 06:59:36 EDT 2015


>> I'm not a fan of putting all the security eggs in one basket :)
> In what sense do you mean this? Each individual Pidgin install (unless
> the user is doing something particularly unique and weird) will only use
> one TLS library, right? One's TLS library is largely predetermined, too,
> because almost everyone uses either the Windows binary or a *nix
> package.
> In that case, we'd only have multiple baskets in terms of switching to
> another TLS library in a later version. However, GnuTLS and NSS are both
> big and widely used projects, so any security issue would be fixed long
> before we could execute a mass basket-switch.

As long as both NSS and GnuTLS are supported and availiable in Makefiles
and source code, switching the "basket" is a matter of just releasing a
minor version with different compile flags, probably only needing
downstream packagers.
In case something like heartbleed dictates a library change, this is
much more handy than to wait for the pidgin core to be migrated.

Just my 2 cents

More information about the Devel mailing list