> This PR has been blocked, forcing a vote: > > https://github.com/openssl/openssl/pull/6392 > > Background: we have been sloppy when producing PKCS#12 files, creating > objects that aren't interoperable. This can only happen with non-UTF8 > input methods, so this PR adds a higher level of control in the > openssl application, so that it will do the best it can to make sure a > pass phrase encoded with something other than UTF-8 gets correctly > re-encoded, and failing that, try and make the user aware that they > are about to create a non-interoperable object. This triggered the > use of the iconv API, and in the case of Mac OS/X, the use of the > separate libiconv library.
I find the reference to Mac OS X a bit misleading, because it suggests that assessment was made on limited amount of data points. Basically on how does it look on *contemporary* Linux/Unix platforms and Mac OS X. But question runs deeper than that and should cover all platform that we consider supporting. Which covers even ranges of older versions, in sense that judging on latest version alone is hardly sufficient. For example do we know *when* was libiconv introduced to Mac OS X? One can naturally say that we are not obliged to care about *that* old versions, but this is no excuse for not making thorougher assessment? I mean it's only appropriate if we can answer the question how old does system have to be for us to say "we don't care". And same question applies even to other platforms, OpenBSD, FreeBSD, Android, Cygwin, Solaris, AIX, HP-UX, DJGPP, Tru64, IRIX, ... One can argue that iconv was actually standardized, and in such case it would be appropriate to make it conditional on _POSIX_VERSION. [Though it doesn't seem to be part of pull request in question. Why not?] But as far as _POSIX_VERSION goes, we kind of know that some systems by *default* offer lower version, presumably in order to facilitate backward portability. So that it would mean that we would have to explicitly rise the bar in some cases. Which ones? And how high? This brings us to following question. Is *this* actually right moment to introduce that kind of *multi-variable* problem? In other words the problem kind of has two sides: a) principal, to do or not to do; b) *when* would it be appropriate to start, is minor release right moment? Is b) part of the vote? _______________________________________________ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project