[openssl-project] To use or not use the iconv API, and to use or not use other libraries

Andy Polyakov appro at openssl.org
Thu Jun 7 14:58:20 UTC 2018

> This PR has been blocked, forcing a vote:
>     https://github.com/openssl/openssl/pull/6392
> Background: we have been sloppy when producing PKCS#12 files, creating
> objects that aren't interoperable.  This can only happen with non-UTF8
> input methods, so this PR adds a higher level of control in the
> openssl application, so that it will do the best it can to make sure a
> pass phrase encoded with something other than UTF-8 gets correctly
> re-encoded, and failing that, try and make the user aware that they
> are about to create a non-interoperable object.  This triggered the
> use of the iconv API, and in the case of Mac OS/X, the use of the
> separate libiconv library.

I find the reference to Mac OS X a bit misleading, because it suggests
that assessment was made on limited amount of data points. Basically on
how does it look on *contemporary* Linux/Unix platforms and Mac OS X.
But question runs deeper than that and should cover all platform that we
consider supporting. Which covers even ranges of older versions, in
sense that judging on latest version alone is hardly sufficient. For
example do we know *when* was libiconv introduced to Mac OS X? One can
naturally say that we are not obliged to care about *that* old versions,
but this is no excuse for not making thorougher assessment? I mean it's
only appropriate if we can answer the question how old does system have
to be for us to say "we don't care". And same question applies even to
other platforms, OpenBSD, FreeBSD, Android, Cygwin, Solaris, AIX, HP-UX,
DJGPP, Tru64, IRIX, ... One can argue that iconv was actually
standardized, and in such case it would be appropriate to make it
conditional on _POSIX_VERSION. [Though it doesn't seem to be part of
pull request in question. Why not?] But as far as _POSIX_VERSION goes,
we kind of know that some systems by *default* offer lower version,
presumably in order to facilitate backward portability. So that it would
mean that we would have to explicitly rise the bar in some cases. Which
ones? And how high? This brings us to following question. Is *this*
actually right moment to introduce that kind of *multi-variable*
problem? In other words the problem kind of has two sides: a) principal,
to do or not to do; b) *when* would it be appropriate to start, is minor
release right moment? Is b) part of the vote?

More information about the openssl-project mailing list