Build WebDAV neon/serf: differences among the two

Tue Aug 18 13:03:34 PDT 2015

On 18.08.2015 18:03, Giuseppe Castagno wrote:
> Hi Michael,
> 
> On 08/18/2015 03:16 PM, Michael Stahl wrote:
>> On 13.08.2015 17:32, Giuseppe Castagno wrote:
>>> Starting from V. 1.3.0 serf uses scons build system, not configure/make.
>>
>> oh.... well there had to be a catch... i believe we don't have anything
>> with scons currently, so it remains to be seen if and how that will
>> support finding our bundled libraries instead of system libraries,
>> building on Windows with MSVC (and using debug runtimes with
>> --enable-dbgutil), cross-compiling for Android/iOS, etc.
> 
> to be able to compile serf-1.3.8 I rewrote the way it's built: 
> practically writing a make specific for Windows, in Linux I used scons 
> instead.
> 
> To use scons in Windows+cygwin+MSCV proved to be a nightmare.

i was afraid so :(

> In short reworking all this for LO can be a difficult task.
> 
> Michael, in Sept 30th, ESC [1], you asked why not curl instead of serf.
> 
> The reason you asked it's because is in the codebase, and it uses NSS, 
> right?
> Other reasons I don't know?

yes ... so basically one of the big problems i see with our (TDF) builds
is that they bundle 2 cryptographic libraries: OpenSSL and NSS.  both of
these have remarkably awful build systems, and remarkable number of
serious CVEs so need regular updating.

OpenSSL has the additional problem with its very badly designed and
volatile ABI that on Linux you basically have to link it statically to
prevent conflicts with system OpenSSL due to ELF global symbol
namespace, and that adds at least ~1.5 MB to every library that uses it;
currently there are 3 users neon, python ssl module and postgresql
(everything else uses NSS).

but ideally we should be bundling 0 crypto libraries, because another
problem with these is that they bundle their own database of trusted PKI
CA certificates.  i am of the opinion that we (TDF) don't currently have
the resources or qualification to assess which CAs should or should not
be trusted, and therefore we shouldn't bundle such databases at all - we
should defer to the operating system's CA databases instead, and thereby
also give the user an UI (built into the OS) where they can add or
remove trusted CAs (we don't have such UI for the bundled certificates
so they are effectively hard-coded).

i like curl a lot because it can actually use the OS native crypto
libraries and CA databases on Windows (/DUSE_WINDOWS_SSPI), Darwin
(--with-darwinssl) and Linux (--with-nss/--with-gnutls/--with-openssl);
since LO~4.2 we actually use these options on Windows and MacOSX and it
seems to work.

> Briefly searching in LO I found curl is used in cmis, where it does a 
> similar task as it would be requested in WebDAV.

yes and i believe ftp UCP and the online update also use curl.