| 20 Sep 2025 |
 emily | https://github.com/search?q=repo%3ANixOS%2Fnixpkgs%20quictls&type=code doesn't show Nginx for me either, am I missing something? | 16:47:24 |
 aloisw | (do not read the comment) | 16:47:25 |
| emily | aha. only for nginxQuic | 16:47:46 |
| emily | ok, we can punt what to do for that stuff for later. | 16:48:09 |
| emily | OpenSSL 3.5 or AWS-LC seem like the sensible options. | 16:48:17 |
| aloisw | all-packages.nix is excluded from that due to its size I guess? | 16:48:17 |
| emily | it's not even that big any more | 16:48:30 |
| emily | 15k lines | 16:48:32 |
| emily | but yeah I guess | 16:48:34 |
| aloisw | Obviously, because why would you use quictls other than for quic. | 16:48:37 |
 K900 | I do wonder what the limit is | 16:49:36 |
 Marie | pushed now, which changes do you want squashed? | 16:49:56 |
| aloisw | If you mean nginx, aws-lc requires a patch (included with aws-lc source, but still). | 16:52:58 |
 hexa | iirc haproxy wanted to sell everyone on AWS-LC in https://www.haproxy.com/blog/state-of-ssl-stacks | 16:57:02 |
| aloisw | For nginx that could actually be a reasonable option, if it gets better maintenance in nixpkgs and having the patch is acceptable. | 17:00:14 |
| emily | I would not be too surprised if somewhere in the GitHub codebase is a line like name != "all-packages.nix" at this point | 17:00:24 |
| emily | anyway I don't mind AWS-LC | 17:00:43 |
| emily | even for curl I wouldn't necessarily mind it | 17:00:48 |
| emily | but that's a bigger decision | 17:00:52 |
| emily | this seems to be prior to them adding 3.5 QUIC support at least | 17:01:34 |
| emily | so I wonder what they would say now given the advice in their README | 17:01:42 |
| aloisw | Curl is linked into a bunch of other applications, and having two crypto libraries or requiring aws-lc support everywhere might be not so nice. | 17:02:12 |
| emily | I think "curl: drop usage of quictls" breaks curl, and "nghttp2: drop usage of quictls" breaks nghttp2 with HTTP/3, until you do "ngtcp2: use openssl instead of quictls", so I would move "ngtcp2: use openssl instead of quictls" after the bumps and squash the other two commits into it | 17:02:43 |
| emily | right. | 17:02:54 |
| emily | at a certain point it's just deciding to openssl = aws-lc; | 17:03:25 |
| hexa | but do we want aws-lc at the core of so many things | 17:05:07 |
| emily | ¯\_(ツ)_/¯ | 17:07:34 |
| emily | hence ^ | 17:07:45 |
| aloisw | Judging by the graph labels it was performed during the 3.4 development cycle, so 3.5 didn't even exist yet. Although they mainly seem to be arguing that OpenSSL is slower, and I have no idea whether that has changed with 3.5. | 17:21:28 |
| aloisw | This will almost certainly break a lot of stuff due to API incompatibility. | 17:21:44 |
