[openssl-project] To use or not use the iconv API, and to use or not use other libraries

Salz, Rich rsalz at akamai.com
Thu Jun 7 14:50:57 UTC 2018

I see you already started the votes.  No time for discussion?

I think OpenSSL should be a "fundamental" system library.  Perhaps the apps are different, but it should not require new libraries but could use them if available -- either at run-time or via config/build.

I think iconv in particular is a bad thing to require at this time, in a 1.1.1 release.  It's not clear to me that it meets our API/ABI compatibility guarantee.  I also dislike iconv because of its size, the fact that it is a gross collection of hacks -- not its fault, it's the nature of charsets -- and that it is not universal.  This means that apps that "do the right thing" on some platforms, will FAIL to do so on opthers.

It is very very late in the release process to be adding a new dependency.

Finally, I believe that for this particular issue, we can add an API that enables applications to do the right thing, and we can add flags and warnings to the command-line that make it more clear when a user isn't doing the right thing (such as because they have existing files they need to read).


On 6/7/18, 8:04 AM, "Richard Levitte" <levitte at openssl.org> wrote:

    This PR has been blocked, forcing a vote:
    Background: we have been sloppy when producing PKCS#12 files, creating
    objects that aren't interoperable.  This can only happen with non-UTF8
    input methods, so this PR adds a higher level of control in the
    openssl application, so that it will do the best it can to make sure a
    pass phrase encoded with something other than UTF-8 gets correctly
    re-encoded, and failing that, try and make the user aware that they
    are about to create a non-interoperable object.  This triggered the
    use of the iconv API, and in the case of Mac OS/X, the use of the
    separate libiconv library.
    I'm going to make this into two votes, as both topics have come out
    because of this.
    1. A vote about general use of other libraries, limited to standard
       system libraries, which may be platform dependent (I expect
       libiconv on Mac OS/X to be such a library)
    2. A vote about the use of the iconv API
    Please discuss here, no in the vote threads.
    Richard Levitte         levitte at openssl.org
    OpenSSL Project         http://www.openssl.org/~levitte/
    openssl-project mailing list
    openssl-project at openssl.org

More information about the openssl-project mailing list