| 20 Sep 2025 |
 aloisw | Obviously, because why would you use quictls other than for quic. | 16:48:37 |
 K900 | I do wonder what the limit is | 16:49:36 |
 Marie | pushed now, which changes do you want squashed? | 16:49:56 |
| aloisw | If you mean nginx, aws-lc requires a patch (included with aws-lc source, but still). | 16:52:58 |
 hexa | iirc haproxy wanted to sell everyone on AWS-LC in https://www.haproxy.com/blog/state-of-ssl-stacks | 16:57:02 |
| aloisw | For nginx that could actually be a reasonable option, if it gets better maintenance in nixpkgs and having the patch is acceptable. | 17:00:14 |
 emily | I would not be too surprised if somewhere in the GitHub codebase is a line like name != "all-packages.nix" at this point | 17:00:24 |
| emily | anyway I don't mind AWS-LC | 17:00:43 |
| emily | even for curl I wouldn't necessarily mind it | 17:00:48 |
| emily | but that's a bigger decision | 17:00:52 |
| emily | this seems to be prior to them adding 3.5 QUIC support at least | 17:01:34 |
| emily | so I wonder what they would say now given the advice in their README | 17:01:42 |
| aloisw | Curl is linked into a bunch of other applications, and having two crypto libraries or requiring aws-lc support everywhere might be not so nice. | 17:02:12 |
| emily | I think "curl: drop usage of quictls" breaks curl, and "nghttp2: drop usage of quictls" breaks nghttp2 with HTTP/3, until you do "ngtcp2: use openssl instead of quictls", so I would move "ngtcp2: use openssl instead of quictls" after the bumps and squash the other two commits into it | 17:02:43 |
| emily | right. | 17:02:54 |
| emily | at a certain point it's just deciding to openssl = aws-lc; | 17:03:25 |
| hexa | but do we want aws-lc at the core of so many things | 17:05:07 |
| emily | ¯\_(ツ)_/¯ | 17:07:34 |
| emily | hence ^ | 17:07:45 |
| aloisw | Judging by the graph labels it was performed during the 3.4 development cycle, so 3.5 didn't even exist yet. Although they mainly seem to be arguing that OpenSSL is slower, and I have no idea whether that has changed with 3.5. | 17:21:28 |
| aloisw | This will almost certainly break a lot of stuff due to API incompatibility. | 17:21:44 |
| emily | right, I just mean that the README updates etc. I pointed to were after the argument they're making there | 17:25:37 |
| emily | again… not really seriously proposing this :) | 17:25:48 |
| emily | what to do for Nginx and HAProxy I am shrug about | 17:26:04 |
| emily | other than "probably not QuicTLS" | 17:26:09 |
 Lun | <del>swap the alias every staging cycle</del> | 17:26:24 |
| aloisw | Given that they recommended quictls there before, while explicitly pointing it out in the article as having the same issues as OpenSSL, there does not seem to be a connection between that article and the README. I guess they just put in the readme what they assumed to be easiest. | 17:39:47 |
| aloisw | LibreSSL, because every NixOS system already depends on it | 17:43:35 |
| hexa | I really want that fixed 🥲 | 17:44:01 |
| hexa | This is netcat-openbsd, right? | 17:44:18 |
