From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 7 Feb 2022 13:20:03 +0000 (+0100)
Subject: configure: requires --with-nss-deprecated to build with NSS
X-Git-Tag: curl-7_82_0~99
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3738de3bd1efd7f3769443f9cbc485bd7ea4c397;p=thirdparty%2Fcurl.git

configure: requires --with-nss-deprecated to build with NSS

Add deprecation plans to docs/DEPRECATE.md

Closes #8395
---

diff --git a/.github/workflows/nss.yml b/.github/workflows/nss.yml
index 7e9212b975..9974d0440f 100644
--- a/.github/workflows/nss.yml
+++ b/.github/workflows/nss.yml
@@ -22,7 +22,7 @@ jobs:
         build:
         - name: NSS
           install:
-          configure: --with-nss --enable-debug --enable-werror
+          configure: --with-nss --enable-debug --enable-werror --with-nss-deprecated
 
     steps:
     - run: |
diff --git a/configure.ac b/configure.ac
index 4016afc121..48fa1cbf22 100644
--- a/configure.ac
+++ b/configure.ac
@@ -262,13 +262,27 @@ AS_HELP_STRING([--with-rustls=PATH],[where to look for rustls, PATH points to th
     test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }rustls")
   fi
 
+OPT_NSS_AWARE=no
+AC_ARG_WITH(nss-deprecated,dnl
+AS_HELP_STRING([--with-nss-deprecated],[confirm you realize NSS is going away]),
+  if test X"$withval" != Xno; then
+    OPT_NSS_AWARE=$withval
+  fi
+)
+
 OPT_NSS=no
 AC_ARG_WITH(nss,dnl
 AS_HELP_STRING([--with-nss=PATH],[where to look for NSS, PATH points to the installation root]),
   OPT_NSS=$withval
   if test X"$withval" != Xno; then
-    test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }NSS")
+
+    if test X"$OPT_NSS_AWARE" = "Xno" ; then
+      AC_MSG_ERROR([NSS use must be confirmed using --with-nss-deprecated. NSS support will be dropped from curl in August 2022. See docs/DEPRECATE.md])
+    fi
+
+    test -z "TLSCHOICE" || TLSCHOICE="${TLSCHOICE:+$TLSCHOICE, }NSS"
   fi
+)
 
 dnl If no TLS choice has been made, check if it was explicitly disabled or
 dnl error out to force the user to decide.
diff --git a/docs/DEPRECATE.md b/docs/DEPRECATE.md
index d0d94d1ac1..02c48bce51 100644
--- a/docs/DEPRECATE.md
+++ b/docs/DEPRECATE.md
@@ -6,7 +6,20 @@ email the
 as soon as possible and explain to us why this is a problem for you and
 how your use case cannot be satisfied properly using a workaround.
 
-## Past removals
+## NSS
+
+We remove support for building curl with the NSS TLS library in August 2022.
+
+- There are very few users left who use curl+NSS
+- NSS has very few users outside of curl as well (primarily Firefox)
+- NSS is harder than ever to find documentation for
+- NSS was always "best" used with Red Hat Linux when they provided additional
+  features on top of the regular NSS that isn't shipped by the vanilla library
+
+Starting in 7.82.0, building curl to use NSS configure requires the additional
+flag --with-nss-deprecated in an attempt to highlight these plans.
+
+## past removals
 
  - Pipelining
  - axTLS