[Webkit-unassigned] [Bug 216201] [GTK]: RFE: remove using libgcrypt

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Sep 21 08:55:32 PDT 2020 

https://bugs.webkit.org/show_bug.cgi?id=216201

Michael Catanzaro <mcatanzaro at gnome.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mcatanzaro at gnome.org

--- Comment #7 from Michael Catanzaro <mcatanzaro at gnome.org> ---
I actually agree with Tomasz. Linux has too many crypto libraries in the base platform, and maintaining them all requires significant effort and expense, so there is interest in removing use of libgcrypt wherever possible.

(In reply to Carlos Garcia Campos from comment #2)
> What's wrong with libgcrypt? or what's the benefit of using openssl instead?

OK I know this is going to be really vague, as I don't know much about libgcrypt, but: "problematic architecture and maintainability." I have heard many less-kind things said about libgcrypt. Notably, its strange initialization routines cause it to be unsafe to use from libraries, so for that reason alone it's dramatically less useful than other system crypto libraries. (That's not directly a problem for WebKit, because we only use it in the web process executable, not the library component of WebKit.)

As far as GNOME is concerned, we only have to deal with WebKitGTK and libsecret. (I don't know what the goal is for other stuff like gnupg.) Anyway, at first I was concerned about this because we need Zan's libgcrypt backend for WebCrypto, but then I discovered that Sony has already developed an alternative OpenSSL backend for WebCrypto that we could use instead. I was planning to propose switching WebKitGTK 2.32 to use the OpenSSL backend by default if OpenSSL 3 is detected, while falling back to libgcrypt for older versions of OpenSSL.

(We're planning to ship OpenSSL 3 in Fedora 34. This OpenSSL license change is a really big deal. Previously, we could not safely link WebKit directly to OpenSSL, but now with this license change, I wouldn't be surprised if OpenSSL begins slowly replacing other crypto libraries over the next decade.)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20200921/c3181509/attachment-0001.htm>

More information about the webkit-unassigned mailing list