On Mon, October 7, 2013 11:07 am, Robert Relyea wrote: > On 10/04/2013 06:52 PM, Ludovic Hirlimann wrote: > > Hi, > > > > AFAIK NSS still contains code for SSL2 , but no product uses it. SSL2 > > has been turned off at least 2 years ago. By removing SSL2 code we get : > > > > Smaller librarie > > faster compile time + test time > > > > What do you guys think ? > > > > Ludo > That's something we would like to do, but we do have downstreams that > can't remove it yet. > We could make it a compile option so it can be compiled out (which will > get most of the benefits most of the time). > > bob > > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto
Adding compile-time flags (and the accompanying #define soup) can almost end up worse - it prevents graceful cleanup/refactoring work that would also come with dead code removal. Bob, could you provide more information about these downstreams using it? 1) Are they staying up to date with NSS? eg: If they're stuck on NSS 3.12.x, what should it matter about removing it in 3.16? 2) If so, is the reason for doing so security patches/updates? 3) If so, why would they have SSL 2.0 enabled and yet still be following security updates? They're at odds with eachother. I'd like to see us be able to come up with clear exit criteria for removing this feature. I can appreciate "It's being used", but can you provide more details about why and how, so that we can have a more productive discussion about what it would mean and take to remove this code? Cheers, Ryan -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
