I once did a Google Summer of Code project with NSS, and tbh I found the codebase quite hard to work with.
It has a lot of what appears to be unnecessary API layers upon API layers that require changes in a lot of places if you want to add something. Also - I don't know if this is still the case, but it was back then - they had bugs in their ASN1 code which they knew about, and workarounds all over the codebase to comply with these underlying bugs.
You could really see that this code is old and has a lot of technical debt - after all it is the "original" Netscape SSL implementation. And the API stability comes at the price that you cannot really get rid of all that complexity even if you wanted to.
That's insightful, thanks. I contributed a script for building NSS on windows to vcpkg and even the build system in use (GYP, abandonware at this point) is technical debt in and of itself.
It has a lot of what appears to be unnecessary API layers upon API layers that require changes in a lot of places if you want to add something. Also - I don't know if this is still the case, but it was back then - they had bugs in their ASN1 code which they knew about, and workarounds all over the codebase to comply with these underlying bugs.
You could really see that this code is old and has a lot of technical debt - after all it is the "original" Netscape SSL implementation. And the API stability comes at the price that you cannot really get rid of all that complexity even if you wanted to.