configure: requires --with-nss-deprecated to build with NSS

Add deprecation plans to docs/DEPRECATE.md Closes #8395
2025-02-11 14:50:40 +08:00 · 2022-02-07 14:20:03 +01:00 · 2022-02-07 14:20:03 +01:00 · 3738de3bd1
commit 3738de3bd1
parent f9d1b25011
3 changed files with 30 additions and 3 deletions
--- a/.github/workflows/nss.yml
+++ b/.github/workflows/nss.yml
@ -22,7 +22,7 @@ jobs:
        build:
        - name: NSS
          install:
-          configure: --with-nss --enable-debug --enable-werror
+          configure: --with-nss --enable-debug --enable-werror --with-nss-deprecated

    steps:
    - run: |
--- a/configure.ac
+++ b/configure.ac
@ -262,13 +262,27 @@ AS_HELP_STRING([--with-rustls=PATH],[where to look for rustls, PATH points to th
    test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }rustls")
  fi

+OPT_NSS_AWARE=no
+AC_ARG_WITH(nss-deprecated,dnl
+AS_HELP_STRING([--with-nss-deprecated],[confirm you realize NSS is going away]),
+  if test X"$withval" != Xno; then
+    OPT_NSS_AWARE=$withval
+  fi
+)
+
 OPT_NSS=no
 AC_ARG_WITH(nss,dnl
 AS_HELP_STRING([--with-nss=PATH],[where to look for NSS, PATH points to the installation root]),
  OPT_NSS=$withval
  if test X"$withval" != Xno; then
-    test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }NSS")
+
+    if test X"$OPT_NSS_AWARE" = "Xno" ; then
+      AC_MSG_ERROR([NSS use must be confirmed using --with-nss-deprecated. NSS support will be dropped from curl in August 2022. See docs/DEPRECATE.md])
+    fi
+
+    test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }NSS"
  fi
+)

 dnl If no TLS choice has been made, check if it was explicitly disabled or
 dnl error out to force the user to decide.
--- a/docs/DEPRECATE.md
+++ b/docs/DEPRECATE.md
@ -6,7 +6,20 @@ email the
 as soon as possible and explain to us why this is a problem for you and
 how your use case cannot be satisfied properly using a workaround.

-## Past removals
+## NSS
+
+We remove support for building curl with the NSS TLS library in August 2022.
+
+- There are very few users left who use curl+NSS
+- NSS has very few users outside of curl as well (primarily Firefox)
+- NSS is harder than ever to find documentation for
+- NSS was always "best" used with Red Hat Linux when they provided additional
+  features on top of the regular NSS that isn't shipped by the vanilla library
+
+Starting in 7.82.0, building curl to use NSS configure requires the additional
+flag --with-nss-deprecated in an attempt to highlight these plans.
+
+## past removals

 - Pipelining
 - axTLS