Linux Foundation releases LSB 4.0 beta [LWN.net]

The Linux Foundation has announced the release of version 4.0 beta of the Linux Standards Base (LSB). "This new version of LSB promises to accomplish these goals in a more powerful way. "We have a new set of LSB tools to make it much easier for ISVs to development applications that are LSB compliant, and to test to see how portable their applications are via the Linux Application Checker," Ted T'so, Chief Platform Strategist and Fellow with the Linux Foundation, explained."

Linux Foundation releases LSB 4.0 beta

Posted Oct 15, 2008 5:12 UTC (Wed) by jengelh (subscriber, #33263) [Link] (7 responses)

Though popular, the OpenSSL library has one big concern that poses a problem for standardization: as it has been developed over time, OpenSSL has not maintained full backwards compatibility with its earlier versions.

Dear OpenSSL, you can be proud of that. Sometimes it's just better in the long run to throw out old cruft code. Look where Windows stands and where Linux stand as a result of their chosen compat-ness path.

Linux Foundation releases LSB 4.0 beta

Posted Oct 15, 2008 5:57 UTC (Wed) by drag (guest, #31333) [Link] (4 responses)

What?

You mean that Linux is the standard OS sold on the majority of servers and 95+% of all desktop machines.. and Windows is the OS that has 4x the return rate on low-end netbooks?

Hrmm...

(seriously though, my comment is mostly tongue-n-cheek (I really do prefer Linux) so don't get me wrong.)

NSS is a better choice though. It's already been through Redhat's attempts at standardizing around it, and if anybody should know what would be preferable then it's Redhat.

Plus NSS has the nice nature of isolating the application developer using it from all the cryptography going on. This makes it easier for application developers (most who are not going to be security experts) from goofing up the protocols, and it has the side effect of making it much easier to certify software using NSS for use in the government or with businesses that have to do business with the government. (which, like it or not, is a significant business market for people who would prefer Linux and open source solutions)

BTW. NSS is certified FIPS 140-2 level 2, which is the highest you can get from software-only crypto products. OpenSSL is only at level 1. :)

This doesn't mean anything for normal folk who would want to use crypto, but it's a nice feature to have. Especially for people like Redhat or Novell.

Plus NSS has had a much better security record then OpenSSL and it's licensing makes it much easier for distributions to deal with. (GPL/LGPL/Mozilla triple licensed vs project-specific OpenSSL license)

..........

As far as how fun each system is to work with, I haven't the foggiest.

Linux Foundation releases LSB 4.0 beta

Posted Oct 15, 2008 6:09 UTC (Wed) by jengelh (subscriber, #33263) [Link] (2 responses)

But it seems that developers like OpenSSL more. From a server system:

$ rpm -e libopenssl0_9_8 2>&1 | wc -l
149
$ rpm -e mozilla-nspr 2>&1 | wc -l
6

Linux Foundation releases LSB 4.0 beta

Posted Oct 15, 2008 6:36 UTC (Wed) by jamesh (guest, #1159) [Link]

Note that NSS (Netscape Security Services) is not the same as NSPR (Netscape Portable Runtime). There may be more packages using nspr than nss.

The other one to keep in mind is GNU TLS, which is used by a bunch of software.

Linux Foundation releases LSB 4.0 beta

Posted Oct 15, 2008 7:00 UTC (Wed) by njs (subscriber, #40338) [Link]

Also, that may change:
http://fedoraproject.org/wiki/FedoraCryptoConsolidation

The reasoning behind this is a good read too:
http://fedoraproject.org/wiki/CryptoConsolidationEval

(While I respect the OpenSSL devs a lot, I'll be happy if we see the #$@ing advertising clause finally die. OpenSSL's entrenchment is the last important source of that obnoxiousness, and switching off OpenSSL is ultimately the only way it will every go away.)

Linux Foundation releases LSB 4.0 beta

Posted Oct 15, 2008 7:14 UTC (Wed) by TRS-80 (guest, #1804) [Link]

From an admin point-of-view, OpenSSL is much easier since you can use raw .pem certificates on the filesystem, whereas in NSS everything is a PKCS#11 store, so you have to load your certificates into a database. RedHat has a patch (as part of their make everything use NSS project) that lets you use plain .pem files, but upstream doesn't like it. Adding a CA to the entire system is also much easier under OpenSSL, just put it in /etc/ssl/certs, whereas you have to recompile part of NSS.

From a developer point-of-view, OpenSSL allows multiple independent contexts, while NSS does not (there's some stubs, but they're not implemented, and not part of the public API anyway). NSS is hard to use in libraries, as a process can only call NSS_Init() once, so if two libraries that use SSL are linked into the same app you have a coordination problem.

Neither supports SRP, but the NSS devs won't care until Firefox wants it. So in short, NSS is technically inferior and needs new leadership if it's going to step up to the role of SSL/TLS library for all of Linux.

Linux Foundation releases LSB 4.0 beta

Posted Oct 15, 2008 7:11 UTC (Wed) by NAR (subscriber, #1313) [Link]

Yes, I can get a driver for the seven year old XP that supports the webcam I bought two weeks ago. On the other hand even the current Ubuntu does not support my video card I bought last year (not to mention the webcam).

Linux Foundation releases LSB 4.0 beta

Posted Oct 15, 2008 20:15 UTC (Wed) by nix (subscriber, #2304) [Link]

Yeah, 'cos glibc's backward compatibility has just ruined it.

(*waves sarcasm flag*, in case it wasn't obvious)