Re: Support for NSS as a libpq TLS backend - Mailing list pgsql-hackers

Greetings,

* Daniel Gustafsson (daniel@yesql.se) wrote:
> > On 31 Jan 2022, at 22:48, Daniel Gustafsson <daniel@yesql.se> wrote:
> >> On 31 Jan 2022, at 17:24, Stephen Frost <sfrost@snowman.net> wrote:
>
> >> I agree that it's concerning to hear that OpenLDAP dropped support for
> >> NSS... though I don't seem to be able to find any information as to why
> >> they decided to do so.
> >
> > I was also unable to do that.  There is no information that I could see in
> > either the commit message, Bugzilla entry (#9207) or on the mailinglist.
> > Searching the web didn't yield anything either.  I've reached out to hopefully
> > get a bit more information.
>
> Support issues and Red Hat dropping OpenLDAP was cited [0] as the main drivers
> for dropping NSS.

That's both very vaugue and oddly specific, I have to say.  Also, not
really sure that it's a good reason for other projects to move away, or
for the large amount of work put into this effort to be thrown out when
it seems to be quite close to finally being done and giving us an
alternative, supported and maintained, TLS/SSL library.

The concern about the documentation not being easily available is
certainly something to consider.  I remember in prior reviews not having
that much difficulty looking up documentation for functions, and in
doing some quick looking around there's certainly some (most?) of the
NSS documentation still up, the issue is that the NSPR documentation was
taken off of the MDN website and that's referenced from the NSS pages
and is obviously something that folks working with NSS need to be able
to find the documentation for too.

All that said, while have documentation on the web is nice and all, it
seems to still be in the source, at least when I grabbed NSPR locally
with apt-get source and looked at PR_Recv, I found:

/*
 *************************************************************************
 * FUNCTION: PR_Recv
 * DESCRIPTION:
 *    Receive a specified number of bytes from a connected socket.
 *     The operation will block until some positive number of bytes are
 *     transferred, a time out has occurred, or there is an error.
 *     No more than 'amount' bytes will be transferred.
 * INPUTS:
 *     PRFileDesc *fd
 *       points to a PRFileDesc object representing a socket.
 *     void *buf
 *       pointer to a buffer to hold the data received.
 *     PRInt32 amount
 *       the size of 'buf' (in bytes)
 *     PRIntn flags
 *       must be zero or PR_MSG_PEEK.
 *     PRIntervalTime timeout
 *       Time limit for completion of the receive operation.
 * OUTPUTS:
 *     None
 * RETURN: PRInt32
 *         a positive number indicates the number of bytes actually received.
 *         0 means the network connection is closed.
 *         -1 indicates a failure. The reason for the failure is obtained
 *         by calling PR_GetError().
 **************************************************************************
 */

So, it's not the case that the documentation is completely gone and
utterly unavailable to those who are interested in it, it's just in the
source rather than being on a nicely formatted webpage.  One can find it
on the web too, naturally:

https://github.com/thespooler/nspr/blob/29ba433ebceda269d2b0885176b7f8cd4c5c2c52/pr/include/prio.h#L1424

(no idea what version that is, just found a random github repo with it,
but wouldn't be hard to import the latest version).

Considering how much we point people to our source when they're writing
extensions and such, this doesn't strike me as quite the dire situation
that it first appeared to be based on the initial comments.  There is
documentation, it's not actually that hard to find if you're working
with the library, and the maintainers have stated their intention to
work on improving the web-based documentation.

Thanks,

Stephen