On 10/20/21 11:51 AM, enh wrote: > for the ignorant (like me) --- are these libraries like BearSSL an extra > abstraction on top of stuff like openssl/boringssl, or are they roughly > equivalent?
Roughly equivalent. Think openssh vs dropbear. > (i'm just thinking ahead to what i'd have to do to get toybox wget working > with > boringssl because of FIPS. ... the federal procurement standard? (What are they up to now, anyway? My computer history geek side has a basic familiarity with FIPS 151-2, but I thought it got repealed?) > which, yes, makes about as much sense as requiring > current vehicles to demonstrate that their hand-cranks are appropriately > protected against collisions with horses, but it is what it is, and that's a > problem to be solved by politicians and lawyers, not us :-( ) wget is used in a lot of scripted resource fetching*, and these days it's near-useless without https. I'm 100% in favor of making this work, but I also want a minimal built-in version which is nontrivial. (Denys Vlasenko, the busybox maintainer I handed off to many moons ago, wrote his own from scratch over a period of a couple years. Alas he did it as multiple files and didn't do it in a subdirectory so you can't easily pull up the commit log from the web repo, but https://git.busybox.net/busybox/log/networking/tls.c gives you the general idea. To be honest, making puppy eyes at him to use his work under 0BSD and then cleaning it up to be a proper lib/tls.c that toybox and busybox could share would be good. Busybox already has ) I know you won't use the built-in one, but that whole "no external dependencies in the base" thing comes up.** And if I do a built-in readonly git fetcher, that also needs https:// to pull repos... Rob * wget and curl are semi-interchangeable, but busybox only ever implemented wget. Curl is more a library for programs to link against, with the command line utility sort of an afterthought. ** Buncha reasons: defeating trusting trust, being a good self-contained educational resources showing all the code needed to do the thing, reproducible builds, avoiding archival versions being hit by version skew between packages or website-went-away syndrome... _______________________________________________ Toybox mailing list [email protected] http://lists.landley.net/listinfo.cgi/toybox-landley.net
