Re: [Opensc-devel] New port in MacPorts and question about TokenD

[Leonardo B. S. <leo...@gm...>]

On 2016-09-28 10:34, David Woodhouse wrote:
> Well... the OpenSC project installs a shared library for libopensc, and
> a libopensc.pc pkg-config file to let external things build against it.
> If the ABI of that library changes in an incompatible way without the
> soname being bumped, then we are Doing It Wrong™.
>
> That said, lots of projects Do It Wrong, and I don't blame you for
> asking :)

Yes, I understand how shared libraries are supposed to maintain ABI/API 
compatibility however my question was more or less the current state of 
affairs and not the desirable one. :-)

I suspect that even if OpenSC intends to maintain a stable ABI/API for 
libopensc (as expected of a shared library), inadvertent breakages won't 
be detected in practice due to the fact that OpenSC builds everything 
together and nobody tests different libopensc/TokenD version combinations.

I'm also not aware of any other project that uses libopensc. The fact 
that the libopensc headers are declared as non-installable in the 
Makefile also gives a strong indication that nobody is really expecting 
libopensc to be used by third-parties.

I just don't want to gamble and have ports that build combinations  that 
were never really build or tested by anyone. As the maintainer in 
MacPorts, I'm not comfortable with making MacPorts users the guinea pigs 
of such combinations.

> And in this case, I believe Tokend *is* the "proper" platform-specific
> interface for OSX, just as the minidriver is the proper platform-
> specific interface for Windows.
>
> So if we *aren't* painstakingly following shared library ABI rules for
> libopensc, and Leonardo's concerns are valid... then maybe
> Tokend.OpenSC should be part of the OpenSC repository, like the Windows
> minidriver is.

Just to clarify that I'm not claiming that the API/ABI are being broken, 
just that I'm skeptical that any breakage would be detected since 
(almost) nobody uses libopensc besides TokenD and they are always built 
together.

Honestly, maintaining a stable API/ABI can be a pain and it could be 
much better for everybody if TokenD was integrated into the OpenSC 
sources and then you don't need to care about libopensc and you're free 
to refactor it at will. I don't see the point of paying the price of 
maintaining compatibility of a library if that library has no other users.

However, my intent was not to start a big discussion or make any 
requests or suggest changes in OpenSC — all I want to do is to have a 
well-behaving and stable MacPorts port. :-)

> Or a third possibility: what's wrong with just using a Tokend.PKCS#11
> such as the one mentioned at
> http://ludovicrousseau.blogspot.co.uk/2010/04/free-software-tokend-above-pkcs11-for.html
>
> Then you can use it with *any* PKCS#11 module, including OpenSC's. Why
> have a hardware-specific Tokend implementation at all?

I agree that the TokenD you mentioned would be a much better option than 
the custom OpenSC one. It could work in the same way and have the same 
purpose as p11-kit does in Linux.

But according to Apple TokenD modules are a deprecated technology and 
who knows until when they are going to work. It becomes hard to justify 
the time investment on building something that could simply stop working 
on the very next OS release.

// Leonardo.