[Fusioninventory-devel] Fwd: LWP and certificate checking

[Guillaume Rousse]

On 10/08/2011 23:56, Gonéri Le Bouder wrote:
> 2011/6/28 Gonéri Le Bouder<goneri at rulezlan.org>:
>> 2011/6/28 Guillaume Rousse<guillomovitch at gmail.com>
>>> Le 28/06/2011 11:57, Gonéri Le Bouder a écrit :
>>>> 2011/6/28 Guillaume Rousse<guillomovitch at gmail.com
>
>> This means we need to rebuilt the perl tree on the =~ 60 arch we already
>> have.
>> This will be long, say 1 year. That's the reason why I prefer a soft
>> transition.
> The attached patch restore Net::SSL. The big difference is IO::Socket::SSL check
> hostname directly within OpenSSL whereas Net::SSL don't. We have to do this
> ourself which is error-prone.
This patch brings backs a lots of code (and the manual parsing or URL is 
particulary ugly) for a technically inferior solution to a very specific 
optional feature (certificate validation is optional). I'm not convinced 
either than installing Crypt-SSLeay is easier than installing Net-SSLeay 
for the final user. And I'm suspecting potential additional support 
difficulties when investigating problems, when asking clueless user 
which alternative they are using exactly.

As far as I understand it, the only interest of this alternative is an 
easier transition for self-contained binaries distributions. Which is 
not sufficient enough for me to balance code impact here.

> An interesting point with this patch is OpenSSL stuff are loaded only
> when needed. This
> is more than 10MB memory saved here on my system.
Delaying loading of SSL stuff until an SSL connection is really needed 
may save memory, indeed, but that's a different issue.

> Guillaume, If you have no objection, I will apply it and then backport
> it in 2.1.x branch.
I do object it for 2.2.x branch, whereas I have less objections for the 
2.1.x branch. However, as build environments will need to be updated 
anyway for 2.2.x, that's just delaying the problem.

-- 
BOFH excuse #150:

Arcserve crashed the server again.