configure: requires --with-nss-deprecated to build with NSS

Add deprecation plans to docs/DEPRECATE.md Closes #8395
curl · Feb 9, 2022 · 3738de3 · 3738de3 · somini · Apr 3, 2022
1 parent f9d1b25
commit 3738de3
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 3 deletions.
diff --git a/.github/workflows/nss.yml b/.github/workflows/nss.yml
@@ -22,7 +22,7 @@ jobs:
         build:
         - name: NSS
           install:
-          configure: --with-nss --enable-debug --enable-werror
+          configure: --with-nss --enable-debug --enable-werror --with-nss-deprecated
 
     steps:
     - run: |

diff --git a/configure.ac b/configure.ac
@@ -262,13 +262,27 @@ AS_HELP_STRING([--with-rustls=PATH],[where to look for rustls, PATH points to th
     test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }rustls")
   fi
 
+OPT_NSS_AWARE=no
+AC_ARG_WITH(nss-deprecated,dnl
+AS_HELP_STRING([--with-nss-deprecated],[confirm you realize NSS is going away]),
+  if test X"$withval" != Xno; then
+    OPT_NSS_AWARE=$withval
+  fi
+)
+
 OPT_NSS=no
 AC_ARG_WITH(nss,dnl
 AS_HELP_STRING([--with-nss=PATH],[where to look for NSS, PATH points to the installation root]),
   OPT_NSS=$withval
   if test X"$withval" != Xno; then
-    test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }NSS")
+
+    if test X"$OPT_NSS_AWARE" = "Xno" ; then
+      AC_MSG_ERROR([NSS use must be confirmed using --with-nss-deprecated. NSS support will be dropped from curl in August 2022. See docs/DEPRECATE.md])
+    fi
+
+    test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }NSS"
   fi
+)
 
 dnl If no TLS choice has been made, check if it was explicitly disabled or
 dnl error out to force the user to decide.

diff --git a/docs/DEPRECATE.md b/docs/DEPRECATE.md
@@ -6,7 +6,20 @@ email the
 as soon as possible and explain to us why this is a problem for you and
 how your use case cannot be satisfied properly using a workaround.
 
-## Past removals
+## NSS
+
+We remove support for building curl with the NSS TLS library in August 2022.
+
+- There are very few users left who use curl+NSS
+- NSS has very few users outside of curl as well (primarily Firefox)
+- NSS is harder than ever to find documentation for
+- NSS was always "best" used with Red Hat Linux when they provided additional
+  features on top of the regular NSS that isn't shipped by the vanilla library
+
+Starting in 7.82.0, building curl to use NSS configure requires the additional
+flag --with-nss-deprecated in an attempt to highlight these plans.
+
+## past removals
 
  - Pipelining
  - axTLS