Re: [Nbd] [PATCH/RFC 0/3] Introduce TLS on nbdserver
- To: Alex Bligh <alex@...872...>
- Cc: "nbd-general@lists.sourceforge.net" <nbd-general@lists.sourceforge.net>
- Subject: Re: [Nbd] [PATCH/RFC 0/3] Introduce TLS on nbdserver
- From: Wouter Verhelst <w@...112...>
- Date: Mon, 11 Apr 2016 21:08:23 +0200
- Message-id: <20160411190823.GB4281@...3...>
- In-reply-to: <50922E69-B533-4261-B6C1-1BE591158C59@...872...>
- References: <1460314748-64921-1-git-send-email-alex@...872...> <20160411060707.GD28660@...3...> <50922E69-B533-4261-B6C1-1BE591158C59@...872...>
On Mon, Apr 11, 2016 at 06:21:39PM +0100, Alex Bligh wrote:
> Wouter,
>
> I had a bit more of a think about this.
>
> On 11 Apr 2016, at 07:07, Wouter Verhelst <w@...112...> wrote:
>
> > I'm going to reply to this series in more detail later (have to go to
> > work soon), but some quick notes for now:
> >
> > - I'm not sure I like the idea of having a proxy to do TLS *at the
> > server side*, although I do agree that there's an upside of "more
> > shared code with client". To be discussed (and I have some more
> > thoughts on this that I don't currently have the time to write down).
>
> Doing it without a proxy server side is actually going to be a
> pretty extensive change. It's not only wrapping read() etc., but
> being aware of the different semantics of the TLS library.
> GnuTLS is (fortunately) far less difficult than openssl here,
> but this is a large task. It could be done, but isn't for the
> faint hearted. The advantage of the (very symmetrical) proxy
> is we only have one bit of code to debug.
See my background in other mail (which I wrote during lunch, but
apparently got stuck on my laptop until just now)
[...]
> > and should probably use
> > PKG_CHECK_MODULES rather than AC_CHECK_LIB.
>
> Not sure that's a great idea. This introduces a dependency
> on pkg-config which (as far as I can tell) doesn't currently
> exist. I'm not sure what pkg-config would buy us here, and
Mostly that it's easier on the user:
- Does better dependency tracking than just testing if the library
exists and/or can be compiled against
- Produces error messages when things fail that are easier to parse than
the default AC_CHECK_LIB stuff, and which includes instructions of
things to try when the library can't be found.
- Is easy to compile and link against a library that is installed in a
nonstandard location (no "./configure
--with-lib-X=/opt/weirdpath/lib/libfoo.so
--with-lib-Y=/opt/weirdpath/lib/libbar.so" etc, you just say
"PKG_CONFIG_PATH=/opt/weirdpath/lib/pkgconfig ./configure" and you're
done)
In addition to all of the above, it also buys us compile-time version
checking with easy to understand syntax.
I should migrate the glib usage to PKG_CHECK_MODULE too, just haven't
gotten around to it.
[...]
--
< ron> I mean, the main *practical* problem with C++, is there's like a dozen
people in the world who think they really understand all of its rules,
and pretty much all of them are just lying to themselves too.
-- #debian-devel, OFTC, 2016-02-12
Reply to: