RFC: Adding Mac support to secur32/schannel.c

[Juan Lang]

Hi Francois,

> As far as I understand it's not going to be another implementation. But
> you're probably right to warn about having multiple backends; that can
> be bad too as has been seen with sound.

Yes, that's part of my concern.

> Not true. Anyone using Wine on Mac OS X will benefit by not having to
> hunt down for a non-standard library to either compile or run Wine. That
> means Mac users will be more likely to actually have a somewhat
> functional schannel. Even those who use a packaged Wine will benefit
> because it means they will no longer either receive an outdated GnuTLS
> library that contains vulnerabilities with their Wine, or have to hunt
> one down on their own, or have no schannel support.

Perhaps.  I'm not aware of too many apps that actually work with the
built-in schannel.  You tell me Outlook is one:  that's news, although
I suspect that primarily affects CodeWeavers' customers.  It doesn't
work for everyone, either:  see bug 20562.  Many apps depend on
schannel, yet don't work.  Google Talk, VMware Infrastructure Client,
and Miranda off the top of my head, probably a few that I'm
forgetting.

> You say that schannel needs a lot of improvement and you say that we/the
> community should work on that first. However making schannel perfect
> will not make the dependency on GnuTLS any more acceptable on Mac OS X.
> So both need to be done it's only a matter of 'in which order'?
>
> Option 1
>  1) Improve Mac support
>  2) Improve schannel
>  Drawback is (1) makes (2) much harder but this has not been
>  conclusively proven.

No.  Tests would help determine the cost.  As it is, it's only
knowable ex post facto, and that means users suffer if it's true.

> Option 2
>  1) Improve schannel until it's 'good enough'
>  2) Improve Mac support
>  This means _most_ Mac users won't get any schannel support for a long
>  time. And in terms of development it means a big refactoring phase
>  near the end which may well be pretty disruptive too (hopefully it
>  wouldn't be as bad as the display backend or DIB engine refactoring).

Well, that's why tests are important:  they mitigate the risk during migration.

Besides, I'm still not convinced that GnuTLS on the Mac is such an
onerous problem.  If it's an issue for your (CodeWeavers') customers,
then your installer needs to be improved.  If it's an issue for Wine
on Mac users, well, there are already dependencies on non-Mac things,
and most users end up using MacPorts or something akin to it to get
them.  As I see it, your option 2 is a false choice:  improving
schannel until it's good enough doesn't preclude improving Mac
support.
--Juan