Re: [Buildroot] [PATCH 1/1] package/network-manager: make cryptography library optional

From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: Florian Larysch <fl@n621.de>
Cc: buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH 1/1] package/network-manager: make cryptography library optional
Date: Fri, 30 May 2025 22:01:25 +0200	[thread overview]
Message-ID: <20250530220125.3b1c7c5f@windsurf> (raw)
In-Reply-To: <20250527152342.4288-1-fl@n621.de>

Hello Florian,

Thanks for the patch!

On Tue, 27 May 2025 17:23:38 +0200
Florian Larysch <fl@n621.de> wrote:

> The network-manager package currently pulls in either gnutls or libnss,
> neither of which are very common and it might be the only reason why
> they are present on a system.
> 
> However, most of NetworkManager works just fine without any cryptography
> support, it only seems to be used in test cases and 802.1X support code.
> 
> Make the crypto backend configurable and optional to make it possible to
> avoid this dependency while keeping the default behavior the same.
> 
> Signed-off-by: Florian Larysch <fl@n621.de>
> ---
> 
> The select vs depends on thing is a bit hacky because I've tried to set
> it up in a way that keeps the existing behavior for backwards
> compatibility. I'm not even sure if this is the best way to go about it
> or if all the options should maybe just depend on the respective
> libraries to make it less implicit.

In this kind of situation, I'm not sure keeping backward compatibility
is really a good idea. Indeed, we have two conflicting goals:

(1) Not break backward compatibility. This would encourage in
continuing to automatically select gnutls as a dependency of
network-manager, like your patch does

(2) Have minimal dependencies by default, which is one of the great
things about Buildroot: it doesn't pull in needless stuff for no
reason. This would encourage NOT automatically selecting any crypto
library by default.

And I think my preference goes to (2) in this situation.

> -ifeq ($(BR2_PACKAGE_LIBNSS),y)
> +ifeq ($(BR2_PACKAGE_NETWORK_MANAGER_CRYPTO_LIBNSS),y)
>  NETWORK_MANAGER_DEPENDENCIES += libnss
>  NETWORK_MANAGER_CONF_OPTS += -Dcrypto=nss
> -else
> +else ifeq ($(BR2_PACKAGE_NETWORK_MANAGER_CRYPTO_GNUTLS),y)
>  NETWORK_MANAGER_DEPENDENCIES += gnutls
>  NETWORK_MANAGER_CONF_OPTS += -Dcrypto=gnutls
> +else ifeq ($(BR2_PACKAGE_NETWORK_MANAGER_CRYPTO_NONE),y)
> +NETWORK_MANAGER_CONF_OPTS += -Dcrypto=null
>  endif

So the change would be just:

ifeq ($(BR2_PACKAGE_LIBNSS),y)
NETWORK_MANAGER_DEPENDENCIES += libnss
NETWORK_MANAGER_CONF_OPTS += -Dcrypto=nss
else
else ifeq ($(BR2_PACKAGE_GNUTLS),y)
NETWORK_MANAGER_DEPENDENCIES += gnutls
NETWORK_MANAGER_CONF_OPTS += -Dcrypto=gnutls
else
NETWORK_MANAGER_CONF_OPTS += -Dcrypto=null
endif

and of course drop the select in Config.in. We might discuss whether
gnutls should take priority on libnss if both are available. Maybe NM
documents that one is "better" over the other?

Thanks!

Thomas
-- 
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot