Re: [Nbd] [PATCH/RFC 0/3] Introduce TLS on nbdserver

To: Alex Bligh <alex@...872...>
Cc: "nbd-general@lists.sourceforge.net" <nbd-general@lists.sourceforge.net>
Subject: Re: [Nbd] [PATCH/RFC 0/3] Introduce TLS on nbdserver
From: Wouter Verhelst <w@...112...>
Date: Mon, 11 Apr 2016 21:08:23 +0200
Message-id: <20160411190823.GB4281@...3...>
In-reply-to: <50922E69-B533-4261-B6C1-1BE591158C59@...872...>
References: <1460314748-64921-1-git-send-email-alex@...872...> <20160411060707.GD28660@...3...> <50922E69-B533-4261-B6C1-1BE591158C59@...872...>

On Mon, Apr 11, 2016 at 06:21:39PM +0100, Alex Bligh wrote:
> Wouter,
> 
> I had a bit more of a think about this.
> 
> On 11 Apr 2016, at 07:07, Wouter Verhelst <w@...112...> wrote:
> 
> > I'm going to reply to this series in more detail later (have to go to
> > work soon), but some quick notes for now:
> > 
> > - I'm not sure I like the idea of having a proxy to do TLS *at the
> >  server side*, although I do agree that there's an upside of "more
> >  shared code with client". To be discussed (and I have some more
> >  thoughts on this that I don't currently have the time to write down).
> 
> Doing it without a proxy server side is actually going to be a
> pretty extensive change. It's not only wrapping read() etc., but
> being aware of the different semantics of the TLS library.
> GnuTLS is (fortunately) far less difficult than openssl here,
> but this is a large task. It could be done, but isn't for the
> faint hearted. The advantage of the (very symmetrical) proxy
> is we only have one bit of code to debug.

See my background in other mail (which I wrote during lunch, but
apparently got stuck on my laptop until just now)

[...]
> > and should probably use
> >  PKG_CHECK_MODULES rather than AC_CHECK_LIB.
> 
> Not sure that's a great idea. This introduces a dependency
> on pkg-config which (as far as I can tell) doesn't currently
> exist. I'm not sure what pkg-config would buy us here, and

Mostly that it's easier on the user:
- Does better dependency tracking than just testing if the library
  exists and/or can be compiled against
- Produces error messages when things fail that are easier to parse than
  the default AC_CHECK_LIB stuff, and which includes instructions of
  things to try when the library can't be found.
- Is easy to compile and link against a library that is installed in a
  nonstandard location (no "./configure
  --with-lib-X=/opt/weirdpath/lib/libfoo.so
  --with-lib-Y=/opt/weirdpath/lib/libbar.so" etc, you just say
  "PKG_CONFIG_PATH=/opt/weirdpath/lib/pkgconfig ./configure" and you're
  done)

In addition to all of the above, it also buys us compile-time version
checking with easy to understand syntax.

I should migrate the glib usage to PKG_CHECK_MODULE too, just haven't
gotten around to it.

[...]

-- 
< ron> I mean, the main *practical* problem with C++, is there's like a dozen
       people in the world who think they really understand all of its rules,
       and pretty much all of them are just lying to themselves too.
 -- #debian-devel, OFTC, 2016-02-12

Reply to:

References:
- [Nbd] [PATCH/RFC 0/3] Introduce TLS on nbdserver
  - From: Alex Bligh <alex@...872...>
- Re: [Nbd] [PATCH/RFC 0/3] Introduce TLS on nbdserver
  - From: Wouter Verhelst <w@...112...>
- Re: [Nbd] [PATCH/RFC 0/3] Introduce TLS on nbdserver
  - From: Alex Bligh <alex@...872...>

Prev by Date: Re: [Nbd] [PATCH] Make include of "config.h" not use system include path
Next by Date: Re: [Nbd] [PATCHv5] docs/proto.md: Clarify SHOULD / MUST / MAY etc
Previous by thread: Re: [Nbd] [PATCH/RFC 0/3] Introduce TLS on nbdserver
Next by thread: [Nbd] [PATCH] Make nbd-tester-client use FIXED_NEWSTYLE negotiation
Index(es):
- Date
- Thread