* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
@ 2020-04-13 0:45 ` travankor
2020-04-13 0:46 ` xtraeme
` (140 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: travankor @ 2020-04-13 0:45 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 563 bytes --]
New comment by travankor on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-612701546
Comment:
Another advantage: OpenSSL is switching to a license the OpenBSD consider [non-free](https://www.openbsd.org/policy.html) (Apache-2.0, which Void considers free). This means the codebase between openssl and libressl is more likely to diverge.
I think having better software and hardware support (ie: aarch64 crypto acceleration) is more useful for Void than security (not that openssl is super insecure these days).
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
2020-04-13 0:45 ` travankor
@ 2020-04-13 0:46 ` xtraeme
2020-04-13 0:48 ` protonesso
` (139 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-13 0:46 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 176 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-612701686
Comment:
Cons: openssl needs perl to build
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
2020-04-13 0:45 ` travankor
2020-04-13 0:46 ` xtraeme
@ 2020-04-13 0:48 ` protonesso
2020-04-13 0:55 ` q66
` (138 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: protonesso @ 2020-04-13 0:48 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 150 bytes --]
New comment by protonesso on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-612701979
Comment:
bruh
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (2 preceding siblings ...)
2020-04-13 0:48 ` protonesso
@ 2020-04-13 0:55 ` q66
2020-04-13 0:57 ` q66
` (137 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: q66 @ 2020-04-13 0:55 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 634 bytes --]
New comment by q66 on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-612703000
Comment:
I'd argue that OpenSSL is safer, since it just gets a lot more attention and audit nowadays. Since heartbleed a lot of attention has gone to OpenSSL, it's probably one of the better-audited projects nowadays.
The performance increase on non-x86_64 platforms is not "potential", it's there; OpenSSL has optimized assembly code for most architectures, in addition to plain C fallbacks - LibreSSL does not have them, they all got dropped with the exception of the x86_64 ones.
So, +1 from me.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (3 preceding siblings ...)
2020-04-13 0:55 ` q66
@ 2020-04-13 0:57 ` q66
2020-04-13 0:58 ` q66
` (136 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: q66 @ 2020-04-13 0:57 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 779 bytes --]
New comment by q66 on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-612703000
Comment:
I'd argue that OpenSSL is safer, since it just gets a lot more attention and audit nowadays. Since heartbleed a lot of attention has gone to OpenSSL, it's probably one of the better-audited projects nowadays.
The performance increase on non-x86_64 platforms is not "potential", it's there; OpenSSL has optimized assembly code for most architectures, in addition to plain C fallbacks - LibreSSL does not have them, they all got dropped with the exception of the x86_64 ones.
So, +1 from me.
Perl being required for build is a non-problem, it's already required for build in several other bootstrap packages, including gcc and glibc.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (4 preceding siblings ...)
2020-04-13 0:57 ` q66
@ 2020-04-13 0:58 ` q66
2020-04-13 1:00 ` travankor
` (135 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: q66 @ 2020-04-13 0:58 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 790 bytes --]
New comment by q66 on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-612703000
Comment:
I'd argue that OpenSSL is safer, since it just gets a lot more attention and audit nowadays. Since heartbleed a lot of attention has gone to OpenSSL, it's probably one of the better-audited projects nowadays.
The performance increase on non-x86_64 platforms is not "potential", it's there; OpenSSL has optimized assembly code for most architectures, in addition to plain C fallbacks - LibreSSL does not have them, they all got dropped with the exception of the x86_64 ones.
So, +1 from me.
Perl being required for build is a non-problem, it's already required for build in several other bootstrap packages, including coreutils, gcc and glibc.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (5 preceding siblings ...)
2020-04-13 0:58 ` q66
@ 2020-04-13 1:00 ` travankor
2020-04-13 1:01 ` travankor
` (134 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: travankor @ 2020-04-13 1:00 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 614 bytes --]
New comment by travankor on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-612701546
Comment:
Another advantage: OpenSSL is switching to a license the OpenBSD consider [non-free](https://www.openbsd.org/policy.html) (Apache-2.0, which Void considers free). This means the codebase between openssl and libressl is more likely to diverge.
I think having better software (ie: haskell openssl keeps breaking with libressl) and hardware support (ie: aarch64 crypto acceleration) is more useful for Void than security (not that openssl is super insecure these days).
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (6 preceding siblings ...)
2020-04-13 1:00 ` travankor
@ 2020-04-13 1:01 ` travankor
2020-04-13 8:58 ` pullmoll
` (133 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: travankor @ 2020-04-13 1:01 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 618 bytes --]
New comment by travankor on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-612701546
Comment:
Another advantage: OpenSSL is switching to a license the OpenBSD consider [non-free](https://www.openbsd.org/policy.html) (Apache-2.0, which Void considers free). This means the codebase between openssl and libressl is more likely to diverge.
I think having better software (ie: haskell ssl library keeps breaking with libressl) and hardware support (ie: aarch64 crypto acceleration) is more useful for Void than security (not that openssl is super insecure these days).
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (7 preceding siblings ...)
2020-04-13 1:01 ` travankor
@ 2020-04-13 8:58 ` pullmoll
2020-04-13 9:09 ` xtraeme
` (132 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: pullmoll @ 2020-04-13 8:58 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 586 bytes --]
New comment by pullmoll on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-612816313
Comment:
I had myself several times where it was difficult to see in which way patching a source for libressl would be correct. This is because I do not know every detail of the differences between the openssl versions 1.0.x and 1.1.x, and the libressl API lies somewhere in between the two.
So from my point of view using openssl could save us lots of work, and if a majority thinks that openssl is audited well enough nowadays, I'm pro switching.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (8 preceding siblings ...)
2020-04-13 8:58 ` pullmoll
@ 2020-04-13 9:09 ` xtraeme
2020-04-13 10:57 ` xtraeme
` (131 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-13 9:09 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 201 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-612820412
Comment:
No objections. But the website will have to be updated...
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (9 preceding siblings ...)
2020-04-13 9:09 ` xtraeme
@ 2020-04-13 10:57 ` xtraeme
2020-04-13 11:29 ` Duncaen
` (130 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-13 10:57 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 318 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-612853344
Comment:
If you are going this route, please do not change xbps. I prefer to keep xbps to use libressl, mainly because this avoids lots of unnecessary dependencies while bootstrapping.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (10 preceding siblings ...)
2020-04-13 10:57 ` xtraeme
@ 2020-04-13 11:29 ` Duncaen
2020-04-13 12:02 ` Hoshpak
` (129 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Duncaen @ 2020-04-13 11:29 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 150 bytes --]
New comment by protonesso on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-612701979
Comment:
bruh
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (11 preceding siblings ...)
2020-04-13 11:29 ` Duncaen
@ 2020-04-13 12:02 ` Hoshpak
2020-04-13 12:04 ` xtraeme
` (128 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Hoshpak @ 2020-04-13 12:02 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 821 bytes --]
New comment by Hoshpak on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-612870992
Comment:
Are you talking about xbps as a project or the Void Linux xbps package? Switching all packages to openssl and still forcing every Void system to still install libressl in parallel through xbps would make it kind of pointless to switch in the first place.
I generally agree that we should switch to openssl. Libressl not supporting the openssl 1.1 API is increasingly holding packages back (I think I had issues when trying to update postfix in the past) and cannot be trivially patched. The slow movement of libressl development also bothers me and led me to not use it on my server. I am now able to connect to this server via TLS 1.3, just not from any of my Void machines.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (12 preceding siblings ...)
2020-04-13 12:02 ` Hoshpak
@ 2020-04-13 12:04 ` xtraeme
2020-04-13 12:06 ` xtraeme
` (127 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-13 12:04 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 163 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-612871637
Comment:
I mean the void pkg.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (13 preceding siblings ...)
2020-04-13 12:04 ` xtraeme
@ 2020-04-13 12:06 ` xtraeme
2020-04-13 12:09 ` xtraeme
` (126 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-13 12:06 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 204 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-612872193
Comment:
FYI https://github.com/libressl-portable/portable/issues/228
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (14 preceding siblings ...)
2020-04-13 12:06 ` xtraeme
@ 2020-04-13 12:09 ` xtraeme
2020-04-13 12:09 ` xtraeme
` (125 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-13 12:09 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 292 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-612872804
Comment:
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/february/downgrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries/
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (15 preceding siblings ...)
2020-04-13 12:09 ` xtraeme
@ 2020-04-13 12:09 ` xtraeme
2020-04-16 12:16 ` Johnnynator
` (124 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-13 12:09 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 196 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-612872943
Comment:
Anyway I don't really care, simply don't switch xbps.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (16 preceding siblings ...)
2020-04-13 12:09 ` xtraeme
@ 2020-04-16 12:16 ` Johnnynator
2020-04-16 12:18 ` xtraeme
` (123 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Johnnynator @ 2020-04-16 12:16 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 334 bytes --]
New comment by Johnnynator on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614615877
Comment:
> Simply don't switch xbps.
This would also imply to build libarchive against LibreSSL, but nevertheless I dislike having both LibreSSL and OpenSSL at the same time in the base system.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (17 preceding siblings ...)
2020-04-16 12:16 ` Johnnynator
@ 2020-04-16 12:18 ` xtraeme
2020-04-16 12:19 ` xtraeme
` (122 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 12:18 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 240 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614616828
Comment:
We do have already multiple implementations at the same time, see mbedtls, gnutls, libressl, etc.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (18 preceding siblings ...)
2020-04-16 12:18 ` xtraeme
@ 2020-04-16 12:19 ` xtraeme
2020-04-16 12:20 ` xtraeme
` (121 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 12:19 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 247 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614617096
Comment:
Anyway I've been thinking about it and maybe I'll switch xbps to use mbedtls. Not sure yet. So go ahead!
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (19 preceding siblings ...)
2020-04-16 12:19 ` xtraeme
@ 2020-04-16 12:20 ` xtraeme
2020-04-16 12:22 ` xtraeme
` (120 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 12:20 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 259 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614617662
Comment:
I think it would be good to have openssl as another provider, and then we can decide what software depends on which.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (20 preceding siblings ...)
2020-04-16 12:20 ` xtraeme
@ 2020-04-16 12:22 ` xtraeme
2020-04-16 12:26 ` Johnnynator
` (119 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 12:22 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 516 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614618589
Comment:
I agree about the ABI breakage in libressl, this is the only thing that bothers me, but I still think they are doing good with the software. I'm pretty sure OpenBSD devs do a great security work!
Note that openssl was only improved (after heartbleed) because they received lots of donations that made some developers work at full time. Not sure if this is true nowadays.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (21 preceding siblings ...)
2020-04-16 12:22 ` xtraeme
@ 2020-04-16 12:26 ` Johnnynator
2020-04-16 12:29 ` Johnnynator
` (118 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Johnnynator @ 2020-04-16 12:26 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 316 bytes --]
New comment by Johnnynator on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614620637
Comment:
> We do have already multiple implementations at the same time, see mbedtls, gnutls, libressl, etc.
But not in the base system, there we only have LibreSSL as of now.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (22 preceding siblings ...)
2020-04-16 12:26 ` Johnnynator
@ 2020-04-16 12:29 ` Johnnynator
2020-04-16 12:29 ` xtraeme
` (117 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Johnnynator @ 2020-04-16 12:29 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 298 bytes --]
New comment by Johnnynator on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614622006
Comment:
E.g. I need to decide if ca-certificates depends on LibreSSL or OpenSSL (in theory I might be able to patch `update-ca-certificates` to work with both)
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (23 preceding siblings ...)
2020-04-16 12:29 ` Johnnynator
@ 2020-04-16 12:29 ` xtraeme
2020-04-16 12:31 ` travankor
` (116 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 12:29 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 236 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614622203
Comment:
@Johnnynator this is not an issue! we can make both work at the same time, including mbedtls.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (24 preceding siblings ...)
2020-04-16 12:29 ` xtraeme
@ 2020-04-16 12:31 ` travankor
2020-04-16 12:32 ` xtraeme
` (115 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: travankor @ 2020-04-16 12:31 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 229 bytes --]
New comment by travankor on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614623285
Comment:
@xtraeme What about bearssl? In the link you provided above, it resists the attacks.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (25 preceding siblings ...)
2020-04-16 12:31 ` travankor
@ 2020-04-16 12:32 ` xtraeme
2020-04-16 12:33 ` xtraeme
` (114 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 12:32 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 240 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614623665
Comment:
@Johnnynator hmm I would not do this way. Each ssl implementation must depend on ca-certificates.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (26 preceding siblings ...)
2020-04-16 12:32 ` xtraeme
@ 2020-04-16 12:33 ` xtraeme
2020-04-16 12:34 ` travankor
` (113 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 12:33 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 275 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614623999
Comment:
@travankor well, you are free to use whatever you think is ok! I think having openssl is ok, as long as libressl is still an option!
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (27 preceding siblings ...)
2020-04-16 12:33 ` xtraeme
@ 2020-04-16 12:34 ` travankor
2020-04-16 12:34 ` travankor
` (112 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: travankor @ 2020-04-16 12:34 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 336 bytes --]
New comment by travankor on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614623285
Comment:
>Anyway I've been thinking about it and maybe I'll switch xbps to use mbedtls. Not sure yet. So go ahead!
@xtraeme What about bearssl? In the link you provided above, it resists the attacks.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (28 preceding siblings ...)
2020-04-16 12:34 ` travankor
@ 2020-04-16 12:34 ` travankor
2020-04-16 12:34 ` travankor
` (111 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: travankor @ 2020-04-16 12:34 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 338 bytes --]
New comment by travankor on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614623285
Comment:
>Anyway I've been thinking about it and maybe I'll switch xbps to use mbedtls. Not sure yet. So go ahead!
@xtraeme What about bearssl? In the link you provided above, it resists the attacks.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (29 preceding siblings ...)
2020-04-16 12:34 ` travankor
@ 2020-04-16 12:34 ` travankor
2020-04-16 12:34 ` travankor
` (110 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: travankor @ 2020-04-16 12:34 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 165 bytes --]
New comment by travankor on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614624541
Comment:
no, i meant for xbps
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (30 preceding siblings ...)
2020-04-16 12:34 ` travankor
@ 2020-04-16 12:34 ` travankor
2020-04-16 12:35 ` xtraeme
` (109 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: travankor @ 2020-04-16 12:34 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 192 bytes --]
New comment by travankor on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614624541
Comment:
no, i meant for xbps, as an alternative backend
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (31 preceding siblings ...)
2020-04-16 12:34 ` travankor
@ 2020-04-16 12:35 ` xtraeme
2020-04-16 12:35 ` xtraeme
` (108 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 12:35 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 224 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614624871
Comment:
I haven't looked into it, but if xbps supports all alternatives it would be good.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (32 preceding siblings ...)
2020-04-16 12:35 ` xtraeme
@ 2020-04-16 12:35 ` xtraeme
2020-04-16 12:37 ` xtraeme
` (107 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 12:35 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 238 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614625156
Comment:
right now xbps does not support openssl >= 1.1, so we are stuck with older openssl or libressl.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (33 preceding siblings ...)
2020-04-16 12:35 ` xtraeme
@ 2020-04-16 12:37 ` xtraeme
2020-04-16 12:40 ` Johnnynator
` (106 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 12:37 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 232 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614625889
Comment:
in fact I haven't tried with openssl >= 1.1, but I think it would need minimal changes...
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (34 preceding siblings ...)
2020-04-16 12:37 ` xtraeme
@ 2020-04-16 12:40 ` Johnnynator
2020-04-16 12:40 ` Johnnynator
` (105 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Johnnynator @ 2020-04-16 12:40 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 647 bytes --]
New comment by Johnnynator on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614627195
Comment:
> @Johnnynator hmm I would not do this way. Each ssl implementation must depend on ca-certificates.
Yes, all ssl implementation depend on ca-certs but ca-certs depends on only one SSL implementation.
But the update-ca-certificates script right now ONLY works with libressl. And the openssl command does not have a proper way of querying whether it is OpenSSL or LibreSSL. (It always exits with 0, even when the command was not found..., so I need to judge it by what is print to stdout, argh...).
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (35 preceding siblings ...)
2020-04-16 12:40 ` Johnnynator
@ 2020-04-16 12:40 ` Johnnynator
2020-04-16 12:42 ` Johnnynator
` (104 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Johnnynator @ 2020-04-16 12:40 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 287 bytes --]
New comment by Johnnynator on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614627390
Comment:
> in fact I haven't tried with openssl >= 1.1, but I think it would need minimal changes...
XBPS did compile and run fine for me locally.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (36 preceding siblings ...)
2020-04-16 12:40 ` Johnnynator
@ 2020-04-16 12:42 ` Johnnynator
2020-04-16 12:43 ` xtraeme
` (103 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Johnnynator @ 2020-04-16 12:42 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 760 bytes --]
New comment by Johnnynator on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614627195
Comment:
> @Johnnynator hmm I would not do this way. Each ssl implementation must depend on ca-certificates.
Yes, all ssl implementation depend on ca-certs but ca-certs depends on only one SSL implementation.
But the update-ca-certificates script right now ONLY works with libressl. And the openssl command does not have a proper way of querying whether it is OpenSSL or LibreSSL. (It always exits with 0, even when the command was not found..., so I need to judge it by what is print to stdout, argh...).
Edit: correction, OpenSSL exits with `1` on invalid commands, LibreSSL is the one that always exits with `0`.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (37 preceding siblings ...)
2020-04-16 12:42 ` Johnnynator
@ 2020-04-16 12:43 ` xtraeme
2020-04-16 12:45 ` xtraeme
` (102 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 12:43 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 366 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614628964
Comment:
@Johnnynator cool! I'll update the README then.
So I'm not against it, but what bothers me about openssl is the perl build dependency... it DOES matter while bootstrapping. I would take the alpine patch to get rid of it.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (38 preceding siblings ...)
2020-04-16 12:43 ` xtraeme
@ 2020-04-16 12:45 ` xtraeme
2020-04-16 12:45 ` xtraeme
` (101 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 12:45 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 313 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614629821
Comment:
@Johnnynator we could use alternative for the openssl command, and then use the specific impl cmd, i.e for openssl "openssl", for libressl "openssl-libressl" or whatever.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (39 preceding siblings ...)
2020-04-16 12:45 ` xtraeme
@ 2020-04-16 12:45 ` xtraeme
2020-04-16 12:51 ` travankor
` (100 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 12:45 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 314 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614629821
Comment:
@Johnnynator we could use alternatives for the openssl command, and then use the specific impl cmd, i.e for openssl "openssl", for libressl "openssl-libressl" or whatever.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (40 preceding siblings ...)
2020-04-16 12:45 ` xtraeme
@ 2020-04-16 12:51 ` travankor
2020-04-16 12:52 ` travankor
` (99 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: travankor @ 2020-04-16 12:51 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 407 bytes --]
New comment by travankor on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614632896
Comment:
Anyways, stick with libressl 3.1 for now, it's about to get released and adds more compatibility for openssl 1.1.
My main issue is that libressl won't match the openssl 3.X/4.X/5.X API in the long run because of the Apache license make code-sharing difficult.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (41 preceding siblings ...)
2020-04-16 12:51 ` travankor
@ 2020-04-16 12:52 ` travankor
2020-04-16 12:53 ` xtraeme
` (98 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: travankor @ 2020-04-16 12:52 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 405 bytes --]
New comment by travankor on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614632896
Comment:
Anyways, stick with libressl 3.1 for now, it's about to get released and adds more compatibility for openssl 1.1.
My main issue is that libressl won't match the openssl 3.X/4.X/5.X API in the long run because the Apache license makes code-sharing difficult.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (42 preceding siblings ...)
2020-04-16 12:52 ` travankor
@ 2020-04-16 12:53 ` xtraeme
2020-04-16 12:53 ` Johnnynator
` (97 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 12:53 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 210 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614633926
Comment:
@travankor they aren't API/ABI compatible for a long time anyway...
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (43 preceding siblings ...)
2020-04-16 12:53 ` xtraeme
@ 2020-04-16 12:53 ` Johnnynator
2020-04-16 12:54 ` Johnnynator
` (96 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Johnnynator @ 2020-04-16 12:53 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 962 bytes --]
New comment by Johnnynator on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614633968
Comment:
> @Johnnynator we could use alternatives for the openssl command, and then use the specific impl cmd, i.e for openssl "openssl", for libressl "openssl-libressl" or whatever.
Probably the most sane way, I will prepare it like that.
> @Johnnynator cool! I'll update the README then.
>
> So I'm not against it, but what bothers me about openssl is the perl build dependency... it DOES matter while bootstrapping. I would take the alpine patch to get rid of it.
Alpine also needs perl for bootstraping, and the perl `c_rehash` runtime script is not needed in our case, since our `ca-certifcates` package is not using it, so we can simply ignore it. Also as q66 pointed out, we already have a few packages that need perl for bootstrapping (e.g. `glibc`, `gcc`), so I don't see an issue with OpenSSL needing it.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (44 preceding siblings ...)
2020-04-16 12:53 ` Johnnynator
@ 2020-04-16 12:54 ` Johnnynator
2020-04-16 12:55 ` travankor
` (95 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Johnnynator @ 2020-04-16 12:54 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 310 bytes --]
New comment by Johnnynator on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614634371
Comment:
> Anyways, stick with libressl 3.1 for now, it's about to get released and adds more compatibility for openssl 1.1.
There are still significant gaps in the API.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (45 preceding siblings ...)
2020-04-16 12:54 ` Johnnynator
@ 2020-04-16 12:55 ` travankor
2020-04-16 12:58 ` travankor
` (94 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: travankor @ 2020-04-16 12:55 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 173 bytes --]
New comment by travankor on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614634855
Comment:
Is openssl needed right now?
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (46 preceding siblings ...)
2020-04-16 12:55 ` travankor
@ 2020-04-16 12:58 ` travankor
2020-04-16 13:04 ` xtraeme
` (93 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: travankor @ 2020-04-16 12:58 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 209 bytes --]
New comment by travankor on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614636147
Comment:
@xtraeme Yep, they will be two separate libraries in the future.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (47 preceding siblings ...)
2020-04-16 12:58 ` travankor
@ 2020-04-16 13:04 ` xtraeme
2020-04-16 13:04 ` xtraeme
` (92 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 13:04 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 355 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614639287
Comment:
I agree with two points in this PR:
- openssl contains ASM for some archs, i.e faster than libressl.
- they don't break the ABI each 6 months.
I think those are two strong points to stick with openssl.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (48 preceding siblings ...)
2020-04-16 13:04 ` xtraeme
@ 2020-04-16 13:04 ` xtraeme
2020-04-16 13:05 ` xtraeme
` (91 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 13:04 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 217 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614639597
Comment:
As long as they don't repeat another heartbleed again I'm all for it! rofl
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (49 preceding siblings ...)
2020-04-16 13:04 ` xtraeme
@ 2020-04-16 13:05 ` xtraeme
2020-04-16 13:06 ` travankor
` (90 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 13:05 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 198 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614639794
Comment:
that's why I'm saying to keep libressl... just in case.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (50 preceding siblings ...)
2020-04-16 13:05 ` xtraeme
@ 2020-04-16 13:06 ` travankor
2020-04-16 13:07 ` q66
` (89 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: travankor @ 2020-04-16 13:06 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 191 bytes --]
New comment by travankor on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614640812
Comment:
stuff that uses libtls will need libressl, too
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (51 preceding siblings ...)
2020-04-16 13:06 ` travankor
@ 2020-04-16 13:07 ` q66
2020-04-16 13:09 ` q66
` (88 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: q66 @ 2020-04-16 13:07 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 499 bytes --]
New comment by q66 on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614641214
Comment:
Perl does *not* matter while bootstrapping, stop insisting that it does. I still don't see any reason to package both of them either, as @Johnnynator said it would require libarchive to be built against it and complicate everything. The "just in case" argument doesn't make any sense, *either of them* could mess up something and you have no way to know which.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (52 preceding siblings ...)
2020-04-16 13:07 ` q66
@ 2020-04-16 13:09 ` q66
2020-04-16 13:11 ` xtraeme
` (87 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: q66 @ 2020-04-16 13:09 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 281 bytes --]
New comment by q66 on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614642146
Comment:
Does anything actually use libtls? Since it's a libressl specific api and most distros don't package it at all, I don't think we need to worry
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (53 preceding siblings ...)
2020-04-16 13:09 ` q66
@ 2020-04-16 13:11 ` xtraeme
2020-04-16 13:12 ` xtraeme
` (86 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 13:11 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 561 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614643370
Comment:
```
[juan@leysa ~]$ xbps-query -Rs libtls.so -p shlib-requires
acme-client-0.1.16_4: libtls.so.19 (/mnt/storage/hostdir/binpkgs)
libressl-3.0.2_2: libtls.so.19 (/mnt/storage/hostdir/binpkgs)
libressl-netcat-3.0.2_2: libtls.so.19 (/mnt/storage/hostdir/binpkgs)
openntpd-6.2p3_5: libtls.so.19 (/mnt/storage/hostdir/binpkgs)
s6-networking-2.3.1.2_1: libtls.so.19 (/mnt/storage/hostdir/binpkgs)
[juan@leysa ~]$
```
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (54 preceding siblings ...)
2020-04-16 13:11 ` xtraeme
@ 2020-04-16 13:12 ` xtraeme
2020-04-16 13:15 ` xtraeme
` (85 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 13:12 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 220 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614644087
Comment:
@q66 I'm aware of perl in bootstrap. But in the musl case it's not necessary!
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (55 preceding siblings ...)
2020-04-16 13:12 ` xtraeme
@ 2020-04-16 13:15 ` xtraeme
2020-04-16 13:15 ` q66
` (84 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 13:15 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 248 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614645464
Comment:
Note that libarchive does only need openssl for libcrypto (shaXXX and related) not anything from SSL/TLS.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (56 preceding siblings ...)
2020-04-16 13:15 ` xtraeme
@ 2020-04-16 13:15 ` q66
2020-04-16 13:18 ` xtraeme
` (83 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: q66 @ 2020-04-16 13:15 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 187 bytes --]
New comment by q66 on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614645489
Comment:
It is, since coreutils needs it, as well as GCC.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (57 preceding siblings ...)
2020-04-16 13:15 ` q66
@ 2020-04-16 13:18 ` xtraeme
2020-04-16 13:18 ` xtraeme
` (82 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 13:18 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 620 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614646888
Comment:
@q66 perl is only required in coreutils to run the test suite.
```
# The test suite needs to know if we have a working perl.
# FIXME: this is suboptimal. Ideally, we would be able to call gl_PERL
# with an ACTION-IF-NOT-FOUND argument ...
cu_have_perl=yes
case $PERL in *"/missing "*) cu_have_perl=no;; esac
if test $cu_have_perl = yes; then
HAVE_PERL_TRUE=
HAVE_PERL_FALSE='#'
else
HAVE_PERL_TRUE='#'
HAVE_PERL_FALSE=
fi
```
from coreutils configure
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (58 preceding siblings ...)
2020-04-16 13:18 ` xtraeme
@ 2020-04-16 13:18 ` xtraeme
2020-04-16 13:19 ` q66
` (81 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 13:18 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 205 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614647058
Comment:
@q66 GCC only requires perl due to texinfo, which is optional!
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (59 preceding siblings ...)
2020-04-16 13:18 ` xtraeme
@ 2020-04-16 13:19 ` q66
2020-04-16 13:21 ` xtraeme
` (80 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: q66 @ 2020-04-16 13:19 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 427 bytes --]
New comment by q66 on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614647425
Comment:
Libcrypto contains the majority of the asm acceleration code, including for sha*. Wrt libtls: so... other openbsd projects (duh) - I doubt it'd required, as e.g. Debian packages openntpd without libressl, and s6-networking, which can also use bearssl, which is a better choice either way.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (60 preceding siblings ...)
2020-04-16 13:19 ` q66
@ 2020-04-16 13:21 ` xtraeme
2020-04-16 13:21 ` q66
` (79 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 13:21 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 450 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614648946
Comment:
@q66 I'm not against this at all! not sure what's your point.
@Johnnynator already tried xbps with openssl >= 1.1 and it's ok, so it's ok for me too.
I was only mentioning the fact that openssl needs perl to build. But as you said, we require perl for bootstrapping so it's not an issue.
+1 from me
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (61 preceding siblings ...)
2020-04-16 13:21 ` xtraeme
@ 2020-04-16 13:21 ` q66
2020-04-16 13:23 ` xtraeme
` (78 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: q66 @ 2020-04-16 13:21 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 328 bytes --]
New comment by q66 on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614649016
Comment:
Anyway, openssl needs Perl for good reasons, it uses it to deal with processing the assembly code for different targets. Libressl was only able to rip it out because they ripped out the asm
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (62 preceding siblings ...)
2020-04-16 13:21 ` q66
@ 2020-04-16 13:23 ` xtraeme
2020-04-16 13:24 ` q66
` (77 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 13:23 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 252 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614650064
Comment:
Alpine had a C implementation to get rid of perl in openssl in the past... not sure if this is true nowadays.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (63 preceding siblings ...)
2020-04-16 13:23 ` xtraeme
@ 2020-04-16 13:24 ` q66
2020-04-16 13:26 ` Johnnynator
` (76 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: q66 @ 2020-04-16 13:24 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 164 bytes --]
New comment by q66 on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614650677
Comment:
C implementation of what?
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (64 preceding siblings ...)
2020-04-16 13:24 ` q66
@ 2020-04-16 13:26 ` Johnnynator
2020-04-16 13:28 ` q66
` (75 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Johnnynator @ 2020-04-16 13:26 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 309 bytes --]
New comment by Johnnynator on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614651420
Comment:
They still have c implementation of `c_rehash` but as I said, it is not really needed and we can ignore it, since we use the debian ca_certificates update script.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (65 preceding siblings ...)
2020-04-16 13:26 ` Johnnynator
@ 2020-04-16 13:28 ` q66
2020-04-16 13:33 ` xtraeme
` (74 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: q66 @ 2020-04-16 13:28 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 388 bytes --]
New comment by q66 on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614653071
Comment:
There are much worse bootstrap dependencies we could have than Perl anyway, as far as I know Perl has never been problematic on anything, has been around for decades and is completely portable. And pretty much every single distro out there ships it.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (66 preceding siblings ...)
2020-04-16 13:28 ` q66
@ 2020-04-16 13:33 ` xtraeme
2020-04-16 13:33 ` xtraeme
` (73 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 13:33 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 278 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614655698
Comment:
perl portable? sure, but only for native builds! it took me a while to figure out cross compilation way before perl-cross existed! ROFL
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (67 preceding siblings ...)
2020-04-16 13:33 ` xtraeme
@ 2020-04-16 13:33 ` xtraeme
2020-04-16 13:35 ` xtraeme
` (72 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 13:33 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 213 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614656000
Comment:
@q66 just take a look at void-packages git logs to see all my changes!
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (68 preceding siblings ...)
2020-04-16 13:33 ` xtraeme
@ 2020-04-16 13:35 ` xtraeme
2020-04-16 13:37 ` xtraeme
` (71 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 13:35 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 388 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614657182
Comment:
```
[juan@leysa void-packages]$ git shortlog -sn|head -5
35726 Juan RP
11076 maxice8
8004 Leah Neukirchen
6412 Michael Gehring
6328 Enno Boland
[juan@leysa void-packages]$
```
There's a reason why I've got 35K commits, you know!
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (69 preceding siblings ...)
2020-04-16 13:35 ` xtraeme
@ 2020-04-16 13:37 ` xtraeme
2020-04-17 6:18 ` Ypnose
` (70 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-16 13:37 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 210 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614658237
Comment:
Anyway I'll stop with this thread.
+1 to switch to openssl again
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (70 preceding siblings ...)
2020-04-16 13:37 ` xtraeme
@ 2020-04-17 6:18 ` Ypnose
2020-04-17 6:18 ` Ypnose
` (69 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Ypnose @ 2020-04-17 6:18 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 429 bytes --]
New comment by Ypnose on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-615064925
Comment:
I'm not longer a package maintainer, but from an user perspective `libressl` is sometimes painful when specific `openssl` options are needed and not included. There is an example here : https://github.com/libressl-portable/portable/issues/544
If it can save maintainers time, go for it.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (71 preceding siblings ...)
2020-04-17 6:18 ` Ypnose
@ 2020-04-17 6:18 ` Ypnose
2020-04-17 10:06 ` travankor
` (68 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Ypnose @ 2020-04-17 6:18 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 428 bytes --]
New comment by Ypnose on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-615064925
Comment:
I'm no longer a package maintainer, but from an user perspective `libressl` is sometimes painful when specific `openssl` options are needed and not included. There is an example here : https://github.com/libressl-portable/portable/issues/544
If it can save maintainers time, go for it.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (72 preceding siblings ...)
2020-04-17 6:18 ` Ypnose
@ 2020-04-17 10:06 ` travankor
2020-04-17 10:06 ` travankor
` (67 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: travankor @ 2020-04-17 10:06 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 405 bytes --]
New comment by travankor on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614632896
Comment:
Anyways, stick with libressl 3.1 for now, it's about to get released and adds more compatibility for openssl 1.1.
My main issue is that libressl won't match the openssl 3.X/4.X/5.X API in the long run because the Apache license makes code-sharing difficult.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (73 preceding siblings ...)
2020-04-17 10:06 ` travankor
@ 2020-04-17 10:06 ` travankor
2020-04-17 10:06 ` travankor
` (66 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: travankor @ 2020-04-17 10:06 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 173 bytes --]
New comment by travankor on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614634855
Comment:
Is openssl needed right now?
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (74 preceding siblings ...)
2020-04-17 10:06 ` travankor
@ 2020-04-17 10:06 ` travankor
2020-04-17 14:54 ` mobinmob
` (65 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: travankor @ 2020-04-17 10:06 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 209 bytes --]
New comment by travankor on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-614636147
Comment:
@xtraeme Yep, they will be two separate libraries in the future.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (75 preceding siblings ...)
2020-04-17 10:06 ` travankor
@ 2020-04-17 14:54 ` mobinmob
2020-04-21 21:35 ` howtologinquickwiththirtyninecharacters
` (64 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: mobinmob @ 2020-04-17 14:54 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 935 bytes --]
New comment by mobinmob on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-615290027
Comment:
> ```
> [juan@leysa ~]$ xbps-query -Rs libtls.so -p shlib-requires
> acme-client-0.1.16_4: libtls.so.19 (/mnt/storage/hostdir/binpkgs)
> libressl-3.0.2_2: libtls.so.19 (/mnt/storage/hostdir/binpkgs)
> libressl-netcat-3.0.2_2: libtls.so.19 (/mnt/storage/hostdir/binpkgs)
> openntpd-6.2p3_5: libtls.so.19 (/mnt/storage/hostdir/binpkgs)
> s6-networking-2.3.1.2_1: libtls.so.19 (/mnt/storage/hostdir/binpkgs)
> [juan@leysa ~]$
> ```
s6-networking works with bearssl. Upstream [marks bearssl support as beta](https://skarnet.org/software/s6-networking/) but both [Alpine](https://git.alpinelinux.org/aports/tree/main/s6-networking/APKBUILD?id=0ac87b7fb4b8e4e3717e3611107fc463c8dd261b) and [Adelie](https://code.foxkit.us/adelie/packages/blob/master/user/s6-networking/APKBUILD) use it.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (76 preceding siblings ...)
2020-04-17 14:54 ` mobinmob
@ 2020-04-21 21:35 ` howtologinquickwiththirtyninecharacters
2020-04-22 12:16 ` Hoshpak
` (63 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: howtologinquickwiththirtyninecharacters @ 2020-04-21 21:35 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 465 bytes --]
New comment by howtologinquickwiththirtyninecharacters on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-617426990
Comment:
@Johnnynator you may want to update your package to 1.1.1g, versions d, e and f are affected by [this vulnerability](https://www.openssl.org/news/secadv/20200421.txt). (Is this the right place to comment on this or should I have commented on the New package request? I'm still new to this).
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (77 preceding siblings ...)
2020-04-21 21:35 ` howtologinquickwiththirtyninecharacters
@ 2020-04-22 12:16 ` Hoshpak
2020-04-22 12:19 ` xtraeme
` (62 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Hoshpak @ 2020-04-22 12:16 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 371 bytes --]
New comment by Hoshpak on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-617743521
Comment:
The version remark would have been better in the PR however the vulnerability itself is highly relevant to this discussion since the number of vulnerabilities in each library is an important decision criterion for a TLS library.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (78 preceding siblings ...)
2020-04-22 12:16 ` Hoshpak
@ 2020-04-22 12:19 ` xtraeme
2020-04-22 15:05 ` q66
` (61 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: xtraeme @ 2020-04-22 12:19 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 252 bytes --]
New comment by xtraeme on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-617744964
Comment:
What @Hoshpak said. I still think that libressl has less vulnerabilities, maybe due to slower release date...
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (79 preceding siblings ...)
2020-04-22 12:19 ` xtraeme
@ 2020-04-22 15:05 ` q66
2020-04-23 2:36 ` the-maldridge
` (60 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: q66 @ 2020-04-22 15:05 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 218 bytes --]
New comment by q66 on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-617836159
Comment:
All software has vulnerabilities. I seriously doubt libressl has fewer of them.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (80 preceding siblings ...)
2020-04-22 15:05 ` q66
@ 2020-04-23 2:36 ` the-maldridge
2020-04-23 3:35 ` eli-schwartz
` (59 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: the-maldridge @ 2020-04-23 2:36 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 629 bytes --]
New comment by the-maldridge on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-618141960
Comment:
My 2 cents. I am opposed to software monocultures, they stifle attempts to produce new and better implementations and tend to breed discontent among developers that wish to do something different.
If we were to accept OpenSSL I would recommend doing so in the same way we have gcompat. It can be used in places where there is need for its specific interface, but otherwise not. My preferred SSL implementation is BoringSSL, though it is unsuitable for use in a distribution.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (81 preceding siblings ...)
2020-04-23 2:36 ` the-maldridge
@ 2020-04-23 3:35 ` eli-schwartz
2020-04-23 4:43 ` constptr
` (58 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: eli-schwartz @ 2020-04-23 3:35 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1178 bytes --]
New comment by eli-schwartz on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-618157192
Comment:
> Alpine also needs perl for bootstraping, and the perl `c_rehash` runtime script is not needed in our case, since our `ca-certifcates` package is not using it, so we can simply ignore it.
> They still have c implementation of `c_rehash` but as I said, it is not really needed and we can ignore it, since we use the debian ca_certificates update script.
Note that there's probably never a good excuse to use c_rehash at all, whether you use the debian ca_certificates script or not... because https://www.openssl.org/docs/man1.1.1/man1/openssl-rehash.html
tl;dr `/usr/bin/openssl rehash` and `/usr/bin/c_rehash` do the same thing, one in C and one in perl. It's unclear when you'd ever want to use the latter, and I think you might be hard-pressed to find software which invokes it. Someone tried to rewrite it in bash and PR it to openssl, but the PR was closed as "perl is easier to build on OpenVMS, that being said we might be able to just drop it entirely since you should just use the openssl app's rehash command".
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (82 preceding siblings ...)
2020-04-23 3:35 ` eli-schwartz
@ 2020-04-23 4:43 ` constptr
2020-04-23 7:59 ` fosslinux
` (57 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: constptr @ 2020-04-23 4:43 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 343 bytes --]
New comment by constptr on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-618174090
Comment:
I am not experienced/eligible to comment, but what about alternative SSL implementations like wolfssl ( claims openssl compatibility ) and GNU-TLS ?
Openssl can avoid many manual patching though.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (83 preceding siblings ...)
2020-04-23 4:43 ` constptr
@ 2020-04-23 7:59 ` fosslinux
2020-04-23 8:23 ` travankor
` (56 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: fosslinux @ 2020-04-23 7:59 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 3705 bytes --]
New comment by fosslinux on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-618245112
Comment:
I agree with @the-maldridge, after some hard thinking and a discussion on IRC.
I'm not really concerned about OpenSSL in the repositories.
However, LibreSSL should be of first-class support, and OpenSSL should only be used where necessary for maintainability (eg, qt5). IMO, OpenSSL shouldn't be in the base system - xbps should stay with LibreSSL; no real reason to move it off it.
Saying all this, it is essential that the maintainers come to a decision how OpenSSL should be used **before it is merged**, and what will happen to LibreSSL (once again, I will strongly advocate for LibreSSL not being removed - rather still being first-class).
I see a number of options, ranked from most LibreSSL to most OpenSSL.
_No OpenSSL_
1. Do not merge OpenSSL.
_User choice, first-class support for LibreSSL; OpenSSL not well supported_
2. Merge OpenSSL, but do not have any packages depend upon it. Have it as a choice. Maintain full compatibility with LibreSSL, but don't require current packages to support OpenSSL. Do not include OpenSSL in the base system (default LibreSSL).
_User choice, first-class support for both_
3. Merge OpenSSL, but do not have any packages depend upon it. Have it as a choice. Maintain full compatibility with LibreSSL; quickly ensure all current packages to support OpenSSL. Do not include OpenSSL in the base system (default LibreSSL).
_Maintainer choice, but LibreSSL for base system_
4. Merge OpenSSL. Allow packages to depend upon it, and optionally drop LibreSSL specific patches. Packages will pull in either of OpenSSL or LibreSSL as required. Both could be installed on the same system. However, base packages should only include LibreSSL. Do not include OpenSSL in the base system.
_Maintainer choice, including base system - both in base system_
5. Merge OpenSSL. Allow packages to depend upon it, and optionally drop LibreSSL specific patches. Packages, including base packages, are allowed to pull in either of OpenSSL or LibreSSL as required. Both could be installed on the same system - and both will be installed as part of the base system.
_Maintainer choice, but OpenSSL for base system_
6. Merge OpenSSL. Convert all base system packages to use OpenSSL only (including xbps). Allow packages to depend upon it, and optionally drop LibreSSL specific patches. Base system should only use OpenSSL. Both could be installed on the same system, but only OpenSSL will be in the base system. Maintainers can still choose to use LibreSSL, and most software can continue to do so (ex. base system).
_User choice, first-class support for OpenSSL; LibreSSL not well supported_
7. Merge OpenSSL. Convert all base system packages to use OpenSSL only (including xbps). All packages must work with OpenSSL - make this a priority - but not all have to work with LibreSSL. Include OpenSSL in the base system, and make it the default. Maintainers must use OpenSSL.
_OpenSSL only; no LibreSSL_
8. Merge OpenSSL. Convert all packages to use OpenSSL only. All packages must work with OpenSSL. Roadmap for LibreSSL to be removed from the repositories.
6 is likely to end up at 7 eventually.
I, personally, would hate 7 or 8. My opinion is 4. 3 and 5 would create too much maintainer work, 6 would lead to an extreme drop of support of LibreSSL in general, and would eventually lead to 7. 1, 2 and 3 I would also be happy with (but 3 would create poor maintaership).
I would strongly recommend against 2 and 7 because all it's going to add is complex, dodgy code, broken software, and worse packaging.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (84 preceding siblings ...)
2020-04-23 7:59 ` fosslinux
@ 2020-04-23 8:23 ` travankor
2020-04-23 10:25 ` Duncaen
` (55 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: travankor @ 2020-04-23 8:23 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 615 bytes --]
New comment by travankor on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-612701546
Comment:
Another advantage: OpenSSL is switching to a license OpenBSD considers [non-free](https://www.openbsd.org/policy.html) (Apache-2.0, which Void considers free). This means the codebase between openssl and libressl is more likely to diverge.
I think having better software (ie: haskell ssl library keeps breaking with libressl) and hardware support (ie: aarch64 crypto acceleration) is more useful for Void than security (not that openssl is super insecure these days).
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (85 preceding siblings ...)
2020-04-23 8:23 ` travankor
@ 2020-04-23 10:25 ` Duncaen
2020-04-23 10:29 ` Duncaen
` (54 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Duncaen @ 2020-04-23 10:25 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 255 bytes --]
New comment by Duncaen on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-618319932
Comment:
Running both is not an option all reverse dependencies need to use the same one otherwise we get runtime errors.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (86 preceding siblings ...)
2020-04-23 10:25 ` Duncaen
@ 2020-04-23 10:29 ` Duncaen
2020-04-23 11:19 ` q66
` (53 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Duncaen @ 2020-04-23 10:29 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 396 bytes --]
New comment by Duncaen on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-618319932
Comment:
Running both is not an option all reverse dependencies need to use the same one otherwise we get runtime errors.
Edit: Excluding the few limited cases that require libtls. A per package decision on using libressl or openssl is a logistical nightmare.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (87 preceding siblings ...)
2020-04-23 10:29 ` Duncaen
@ 2020-04-23 11:19 ` q66
2020-04-23 11:20 ` constptr
` (52 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: q66 @ 2020-04-23 11:19 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 345 bytes --]
New comment by q66 on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-618344090
Comment:
Mixing libressl and openssl in one system is a recipe for disaster as they share symbols.
Also, sticking primarily with libressl does not solve the problem of the experience being poor outside of x86_64.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (88 preceding siblings ...)
2020-04-23 11:19 ` q66
@ 2020-04-23 11:20 ` constptr
2020-04-24 6:34 ` Ypnose
` (51 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: constptr @ 2020-04-23 11:20 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 343 bytes --]
New comment by constptr on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-618174090
Comment:
I am not experienced/eligible to comment, but what about alternative SSL implementations like wolfssl ( claims openssl compatibility ) and GNU-TLS ?
Openssl can avoid many manual patching though.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (89 preceding siblings ...)
2020-04-23 11:20 ` constptr
@ 2020-04-24 6:34 ` Ypnose
2020-04-24 7:32 ` the-maldridge
` (50 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Ypnose @ 2020-04-24 6:34 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 182 bytes --]
New comment by Ypnose on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-618830213
Comment:
Please, can you elaborate your comment ?
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (90 preceding siblings ...)
2020-04-24 6:34 ` Ypnose
@ 2020-04-24 7:32 ` the-maldridge
2020-04-24 14:01 ` q66
` (49 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: the-maldridge @ 2020-04-24 7:32 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 612 bytes --]
New comment by the-maldridge on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-618853743
Comment:
I believe q66 is referring to openssl containing large amounts of hand optimized assembly for both modern and long dead platforms which accelerates certain arithmetic functions. LibreSSL works primarily on x86_64.
Perhaps a better question to ask about this is why Void is seeing poor performance on non-x86 platforms. OpenBSD builds on a number of different targets, and there aren't reports of poor performance that I'm aware of from a very cursory search.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (91 preceding siblings ...)
2020-04-24 7:32 ` the-maldridge
@ 2020-04-24 14:01 ` q66
2020-04-24 16:48 ` q66
` (48 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: q66 @ 2020-04-24 14:01 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 706 bytes --]
New comment by q66 on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-619029088
Comment:
@the-maldridge It's not just about hand optimized, it's also about access to hardware crypto, which libressl outside of x86_64 does not have, which results in significantly poorer throughput
1) openbsd builds a lot fewer targets than Linux, e.g. they don't have 64-bit ppc of any kind
2) people using openbsd don't care about performance a whole lot, e.g. there is still no reasonable SMP in openbsd
3) openbsd still uses the perl infra from openssl to generate asm for targets they build, while libressl-portable just has the x86_64 ones generated ahead of time
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (92 preceding siblings ...)
2020-04-24 14:01 ` q66
@ 2020-04-24 16:48 ` q66
2020-04-27 20:31 ` Vaelatern
` (47 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: q66 @ 2020-04-24 16:48 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 309 bytes --]
New comment by q66 on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-619125471
Comment:
I ran some tests on ppc64le for comparison: https://gist.githubusercontent.com/q66/4f4dc63565cdfafb10c6dde1d3067648/raw/8d2243c22324212af35d3133455c0c7067ab088f/bench.txt
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (93 preceding siblings ...)
2020-04-24 16:48 ` q66
@ 2020-04-27 20:31 ` Vaelatern
2020-04-30 21:38 ` CameronNemo
` (46 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Vaelatern @ 2020-04-27 20:31 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 698 bytes --]
New comment by Vaelatern on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-620217990
Comment:
Should note that dfly, an OS that cares a lot about SMP, does use libressl, but they are only x86_64.
It may be that openssl is no longer the tire fire it was when Void Linux switched. More importantly, it may be that adoption of OpenSSL is more in line with Void's philosophy than staying on LibereSSL.
But there is about to be a new LibreSSL release. I'd propose that we wait for that release and the rebuild following before we make a decision, to see if things are better or diverging openssl and libressl APIs are making things so much worse.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (94 preceding siblings ...)
2020-04-27 20:31 ` Vaelatern
@ 2020-04-30 21:38 ` CameronNemo
2020-05-01 17:59 ` marmeladema
` (45 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: CameronNemo @ 2020-04-30 21:38 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 272 bytes --]
New comment by CameronNemo on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-622128466
Comment:
Regarding libtls, we may have an option in this library (note: I have not vetted this):
https://sr.ht/~mcf/libtls-bearssl/
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (95 preceding siblings ...)
2020-04-30 21:38 ` CameronNemo
@ 2020-05-01 17:59 ` marmeladema
2020-05-01 18:08 ` marmeladema
` (44 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: marmeladema @ 2020-05-01 17:59 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 428 bytes --]
New comment by marmeladema on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-622494812
Comment:
By the way, new release of LibreSSL is out since early April:
* https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.0-relnotes.txt
* https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.0.tar.gz
* https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.0.tar.gz.asc
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (96 preceding siblings ...)
2020-05-01 17:59 ` marmeladema
@ 2020-05-01 18:08 ` marmeladema
2020-05-04 3:56 ` concatime
` (43 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: marmeladema @ 2020-05-01 18:08 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 502 bytes --]
New comment by marmeladema on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-622494812
Comment:
By the way, new release of LibreSSL is out since early April:
* https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.0-relnotes.txt
* https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.0.tar.gz
* https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.1.0.tar.gz.asc
Well ... apparently its not a stable version. Sorry for the confusion.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (97 preceding siblings ...)
2020-05-01 18:08 ` marmeladema
@ 2020-05-04 3:56 ` concatime
2020-05-04 3:56 ` concatime
` (42 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: concatime @ 2020-05-04 3:56 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 209 bytes --]
New comment by concatime on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-623245515
Comment:
@travankor, from the [link](), BearSSL does NOT implement TLS1.3
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (98 preceding siblings ...)
2020-05-04 3:56 ` concatime
@ 2020-05-04 3:56 ` concatime
2020-05-04 3:58 ` concatime
` (41 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: concatime @ 2020-05-04 3:56 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 209 bytes --]
New comment by concatime on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-623245515
Comment:
@travankor, from the [link](), BearSSL does NOT implement TLS1.3
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (99 preceding siblings ...)
2020-05-04 3:56 ` concatime
@ 2020-05-04 3:58 ` concatime
2020-05-04 4:00 ` concatime
` (40 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: concatime @ 2020-05-04 3:58 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 387 bytes --]
New comment by concatime on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-623245866
Comment:
(https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/february/downgrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries/)
@travankor, to be fair, BearSSL does [NOT](//bearssl.org/tls13.html) implement TLS 1.3.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (100 preceding siblings ...)
2020-05-04 3:58 ` concatime
@ 2020-05-04 4:00 ` concatime
2020-05-04 12:28 ` travankor
` (39 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: concatime @ 2020-05-04 4:00 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 479 bytes --]
New comment by concatime on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-623245866
Comment:
(https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2019/february/downgrade-attack-on-tls-1.3-and-vulnerabilities-in-major-tls-libraries/)
@travankor, to be fair, BearSSL does [NOT](//bearssl.org/tls13.html) implement TLS 1.3.
It would have been cool if they also tested [MatrixSSL](//github.com/matrixssl/matrixssl).
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (101 preceding siblings ...)
2020-05-04 4:00 ` concatime
@ 2020-05-04 12:28 ` travankor
2020-05-15 19:48 ` imrn
` (38 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: travankor @ 2020-05-04 12:28 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 395 bytes --]
New comment by travankor on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-623434182
Comment:
@concatime I only suggested to xtraeme that he considers a bearssl backend for xbps. Since he's gone, it's up to the community to decide.
I doubt anyone would port xbps to MatrixSSL, given that it changes the effective license of the derived work.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (102 preceding siblings ...)
2020-05-04 12:28 ` travankor
@ 2020-05-15 19:48 ` imrn
2020-05-15 20:55 ` Vaelatern
` (37 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: imrn @ 2020-05-15 19:48 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 190 bytes --]
New comment by imrn on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-629448469
Comment:
#21994: Is it related with libressl? Any comments?
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (103 preceding siblings ...)
2020-05-15 19:48 ` imrn
@ 2020-05-15 20:55 ` Vaelatern
2020-05-15 20:55 ` Vaelatern
` (36 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Vaelatern @ 2020-05-15 20:55 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 163 bytes --]
New comment by Vaelatern on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-629478596
Comment:
@imrn not related.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (104 preceding siblings ...)
2020-05-15 20:55 ` Vaelatern
@ 2020-05-15 20:55 ` Vaelatern
2020-07-30 15:02 ` marmeladema
` (35 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Vaelatern @ 2020-05-15 20:55 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 172 bytes --]
New comment by Vaelatern on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-629478596
Comment:
@imrn probably not related.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (105 preceding siblings ...)
2020-05-15 20:55 ` Vaelatern
@ 2020-07-30 15:02 ` marmeladema
2020-07-31 0:34 ` fosslinux
` (34 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: marmeladema @ 2020-07-30 15:02 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 443 bytes --]
New comment by marmeladema on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-666429462
Comment:
Has any consensus been reached?
On a personal note, I am starting to struggle using Void Linux on a daily basis because more and more things rely on recent protocols/algorithms not provided by libressl. For example, i have to either build openssl/cURL myself or rely on a docker version of cURL.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (106 preceding siblings ...)
2020-07-30 15:02 ` marmeladema
@ 2020-07-31 0:34 ` fosslinux
2020-08-09 7:37 ` bugcrazy
` (33 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: fosslinux @ 2020-07-31 0:34 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 173 bytes --]
New comment by fosslinux on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-666828682
Comment:
What is the issue with cURL?
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (107 preceding siblings ...)
2020-07-31 0:34 ` fosslinux
@ 2020-08-09 7:37 ` bugcrazy
2020-08-09 9:40 ` Duncaen
` (32 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: bugcrazy @ 2020-08-09 7:37 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 898 bytes --]
New comment by bugcrazy on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-671019011
Comment:
OpenSSL has a lot of legacy OS discontinued, quantity of developers in OpenSSL does not mean quality in the code, OpenSSL has a design problem, it is susceptible to serious flaws, not that LibreSSL has no vulnerabilities, but it has cleaner code and with a focus on safety. This link shows that LibreSSL has more development than https://cpp.libhunt.com/compare-openssl-vs-libressl
Here on this Gentoo link that has a LibreSSL port project, which has patches and fixes to ensure software compatibility with LibreSSL. https://gitweb.gentoo.org/repo/proj/libressl.git
In this old link, it compares OpenSSL vs LibreSSL, showing how security is applied in LibreSSL code.
https://resources.infosecinstitute.com/libressl-the-secure-openssl-alternative/
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (108 preceding siblings ...)
2020-08-09 7:37 ` bugcrazy
@ 2020-08-09 9:40 ` Duncaen
2020-08-09 9:41 ` Duncaen
` (31 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Duncaen @ 2020-08-09 9:40 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 826 bytes --]
New comment by Duncaen on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-671030539
Comment:
> This link shows that LibreSSL has more development than https://cpp.libhunt.com/compare-openssl-vs-libressl
https://github.com/openssl/openssl/graphs/commit-activity
https://github.com/libressl-portable/portable/graphs/commit-activity
> Here on this Gentoo link that has a LibreSSL port project, which has patches and fixes to ensure software compatibility with LibreSSL. https://gitweb.gentoo.org/repo/proj/libressl.git
Those are 3 people with like 30 commits this year.
Who do exactly the same as the Void Team just at a smaller scale, they are not magically more competent or better. I would argue that their patches are a lot less used than Voids package repository.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (109 preceding siblings ...)
2020-08-09 9:40 ` Duncaen
@ 2020-08-09 9:41 ` Duncaen
2020-08-09 23:06 ` fosslinux
` (30 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Duncaen @ 2020-08-09 9:41 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 827 bytes --]
New comment by Duncaen on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-671030539
Comment:
> This link shows that LibreSSL has more development than https://cpp.libhunt.com/compare-openssl-vs-libressl
https://github.com/openssl/openssl/graphs/commit-activity
https://github.com/libressl-portable/portable/graphs/commit-activity
> Here on this Gentoo link that has a LibreSSL port project, which has patches and fixes to ensure software compatibility with LibreSSL. https://gitweb.gentoo.org/repo/proj/libressl.git
Those are 3 people with like 30 commits this year.
They do exactly the same as the Void Team just at a smaller scale, they are not magically more competent or better. I would argue that their patches are a lot less used than Voids package repository.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (110 preceding siblings ...)
2020-08-09 9:41 ` Duncaen
@ 2020-08-09 23:06 ` fosslinux
2020-08-09 23:06 ` fosslinux
` (29 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: fosslinux @ 2020-08-09 23:06 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1234 bytes --]
New comment by fosslinux on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-671111760
Comment:
> This link shows that LibreSSL has more development than https://cpp.libhunt.com/compare-openssl-vs-libressl
Untrue, look at commit histories.
> In this **old** link, it compares OpenSSL vs LibreSSL, showing how security is applied in LibreSSL code.
https://resources.infosecinstitute.com/libressl-the-secure-openssl-alternative/
> OpenSSL has a design problem, it is susceptible to serious flaws
(emphasis mine); yes, it is old, and that's the problem. OpenSSL's codebase quality and security auditing has increased greatly in the last 5 years. I would have agreed with you some time ago. Nowdays, LibreSSL gets much less auditing, has much fewer developers working on LibreSSL-portable, and has far less architecture support.
> quantity of developers in OpenSSL does not mean quality in the code
I agree, but it does mean that something has to lose attention. Often, this is performance, or architecture support, and even build support/code quality (especially in libressl-portable), as @q66 can attest to.
> OpenSSL has a lot of legacy OS discontinued
Care to elaborate?
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (111 preceding siblings ...)
2020-08-09 23:06 ` fosslinux
@ 2020-08-09 23:06 ` fosslinux
2020-08-11 7:07 ` bugcrazy
` (28 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: fosslinux @ 2020-08-09 23:06 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1242 bytes --]
New comment by fosslinux on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-671111760
Comment:
> This link shows that LibreSSL has more development than https://cpp.libhunt.com/compare-openssl-vs-libressl
Untrue, look at commit histories.
> In this **old** link, it compares OpenSSL vs LibreSSL, showing how security is applied in LibreSSL code.
https://resources.infosecinstitute.com/libressl-the-secure-openssl-alternative/
> OpenSSL has a design problem, it is susceptible to serious flaws
(emphasis mine); yes, it is old, and that's the problem. OpenSSL's codebase quality and security auditing has increased greatly in the last 5 years. I would have agreed with you some time ago. Nowdays, LibreSSL gets much less auditing, has much fewer developers working on LibreSSL-portable, and has far less architecture support.
> quantity of developers in OpenSSL does not mean quality in the code
I agree, but it does mean that something has to lose attention. Often, this is performance, or architecture support, and even build support/code quality (especially in libressl-portable), as @q66 can attest to.
> OpenSSL has a lot of legacy OS discontinued
Care to elaborate?
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (112 preceding siblings ...)
2020-08-09 23:06 ` fosslinux
@ 2020-08-11 7:07 ` bugcrazy
2020-08-11 7:47 ` fosslinux
` (27 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: bugcrazy @ 2020-08-11 7:07 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 2419 bytes --]
New comment by bugcrazy on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-671769721
Comment:
> > This link shows that LibreSSL has more development than https://cpp.libhunt.com/compare-openssl-vs-libressl
>
> Untrue, look at commit histories.
>
> > In this **old** link, it compares OpenSSL vs LibreSSL, showing how security is applied in LibreSSL code.
> > https://resources.infosecinstitute.com/libressl-the-secure-openssl-alternative/
> > OpenSSL has a design problem, it is susceptible to serious flaws
>
> (emphasis mine); yes, it is old, and that's the problem. OpenSSL's codebase quality and security auditing has increased greatly in the last 5 years. I would have agreed with you some time ago. Nowdays, LibreSSL gets much less auditing, has much fewer developers working on LibreSSL-portable, and has far less architecture support.
>
> > quantity of developers in OpenSSL does not mean quality in the code
>
> I agree, but it does mean that something has to lose attention. Often, this is performance, or architecture support, and even build support/code quality (especially in libressl-portable), as @q66 can attest to.
>
> > OpenSSL has a lot of legacy OS discontinued
>
> Care to elaborate?
LibreSSL has an independent audit, which can be seen on this link, with a report by a member of Void Linux.
https://blog.doyensec.com/2020/04/08/libressl-fuzzer.html
This academic thesis "Analysis of software vunerabilities through historical data" shows comparative graphs of CVEs. http://lup.lub.lu.se/student-papers/record/8923711/file/8923713.pdf
OpenSSlL has a bad design, which favors serious vulnerabilities, this has not been fixed, as this is part of the structural code of OpenSSL, over the years, it has maintained serious vulnerabilities that affect linking software.
https://news.ycombinator.com/item?id=22935221
https://github.com/openssl/openssl/issues/4729
https://github.com/openssl/openssl/issues/4733
https://hownot2code.com/2016/06/03/evaluate-the-string-literal-length-automatically/#more-172
https://www.viva64.com/en/b/0183/
In these links you can compare the number of CVEs between OpneSSL and LibreSSL.
https://www.cvedetails.com/vulnerability-list/vendor_id-217/Openssl.html
https://www.cvedetails.com/vulnerability-list/vendor_id-97/product_id-30688/Openbsd-Libressl.html
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (113 preceding siblings ...)
2020-08-11 7:07 ` bugcrazy
@ 2020-08-11 7:47 ` fosslinux
2020-08-11 16:37 ` concatime
` (26 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: fosslinux @ 2020-08-11 7:47 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1047 bytes --]
New comment by fosslinux on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-671787206
Comment:
CVEs are an interesting thing, and actually a point I brought up much earlier, I think on IRC, when I wasn't convinced of moving back to OpenSSL. Basically, OpenSSL is a far more audited codebase and receives more auditing attention than LibreSSL.
I don't see linters/static analysis code checking tools, alone, as evidence of poor coding practices. An OpenSSL dev said in one of those threads that many are false positives.
In addition, each of the articles you linked above (excluding the recent vuln, which was discussed earlier in this thread) are 3+ years old. Again, I am of the opinion that the code quality has improved in that time.
Anyway, I don't think I'll go back and forth, let others lay down their opinions on your data if they would like.
Thanks for the threads, btw, interesting reads, which do reinforce Void's position for originally changing to LibreSSL... at the time.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (114 preceding siblings ...)
2020-08-11 7:47 ` fosslinux
@ 2020-08-11 16:37 ` concatime
2020-08-11 16:37 ` concatime
` (25 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: concatime @ 2020-08-11 16:37 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 787 bytes --]
New comment by concatime on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-672077539
Comment:
I would recommend:
1. changing xbps to bearssl. It has really straight API. One downside is that it does not support TLS 1.3 [yet](//bearssl.org/tls13.html). It’s really easy to build/bootstrap, no perl nor cmake, just pure make.
2. replace LibreSSL by OpenSSL 1.1
3. drop all packages that require OpenSSL 1.0
LibreSSL is intended to be used in OpenBSD. I don’t even know if LibreSSL follows OpenSSL 1.0 or 1.1 API. I’ve had a bug with OCSP in Nginx and it took them 8 months to fix it. See https://github.com/libressl-portable/portable/issues/532. LibreSSL is not a bad project at all, it’s just that it’s meant for OpenBSD.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (115 preceding siblings ...)
2020-08-11 16:37 ` concatime
@ 2020-08-11 16:37 ` concatime
2020-08-11 19:42 ` q66
` (24 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: concatime @ 2020-08-11 16:37 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 782 bytes --]
New comment by concatime on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-672077539
Comment:
I would recommend:
1. changing xbps to bearssl. It has really straight API. One downside is that it does not support TLS 1.3 [yet](//bearssl.org/tls13.html). It’s really easy to build/bootstrap, no perl nor cmake, just pure make.
2. replace LibreSSL by OpenSSL 1.1
3. drop all packages that require OpenSSL 1.0
LibreSSL is intended to be used in OpenBSD. I don’t even know if LibreSSL follows OpenSSL 1.0 or 1.1 API. I had a bug with OCSP in Nginx and it took them 8 months to fix it. See https://github.com/libressl-portable/portable/issues/532. LibreSSL is not a bad project at all, it’s just that it’s meant for OpenBSD.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (116 preceding siblings ...)
2020-08-11 16:37 ` concatime
@ 2020-08-11 19:42 ` q66
2020-08-12 0:35 ` fosslinux
` (23 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: q66 @ 2020-08-11 19:42 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 217 bytes --]
New comment by q66 on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-672231015
Comment:
well, ideally we'd go straight with openssl 3.0; it should be out soon, AFAIK.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (117 preceding siblings ...)
2020-08-11 19:42 ` q66
@ 2020-08-12 0:35 ` fosslinux
2020-08-12 1:03 ` q66
` (22 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: fosslinux @ 2020-08-12 0:35 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 413 bytes --]
New comment by fosslinux on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-672396909
Comment:
> changing xbps to bearssl
Two ssl's is probably a recipe for disaster.
> replace LibreSSL by OpenSSL 1.1
> drop all packages that require OpenSSL 1.0
Agreed.
> LibreSSL is not a bad project at all, it’s just that it’s meant for OpenBSD.
100% agree
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (118 preceding siblings ...)
2020-08-12 0:35 ` fosslinux
@ 2020-08-12 1:03 ` q66
2020-08-12 1:53 ` fosslinux
` (21 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: q66 @ 2020-08-12 1:03 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 456 bytes --]
New comment by q66 on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-672414975
Comment:
i think they meant making xbps use *only* bearssl, which would be fine - you already have multiple TLS implementations in your system (there's openssl/libressl, but also nss, gnutls, etc.)
bearssl is nice, small, and explicitly geared towards security (it performs no dynamic memory allocations for example, AFAIK)
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (119 preceding siblings ...)
2020-08-12 1:03 ` q66
@ 2020-08-12 1:53 ` fosslinux
2021-01-04 23:06 ` mgorny
` (20 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: fosslinux @ 2020-08-12 1:53 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 155 bytes --]
New comment by fosslinux on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-672448619
Comment:
Ah, I see.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (120 preceding siblings ...)
2020-08-12 1:53 ` fosslinux
@ 2021-01-04 23:06 ` mgorny
2021-01-06 10:19 ` marmeladema
` (19 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: mgorny @ 2021-01-04 23:06 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 290 bytes --]
New comment by mgorny on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-754275945
Comment:
FYI Gentoo is discontinuing support in LibreSSL in February — however, in our case it's easier because LibreSSL was always the alternative option.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (121 preceding siblings ...)
2021-01-04 23:06 ` mgorny
@ 2021-01-06 10:19 ` marmeladema
2021-01-06 18:31 ` AngryPhantom
` (18 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: marmeladema @ 2021-01-06 10:19 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 224 bytes --]
New comment by marmeladema on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-755214148
Comment:
Nice read about this: https://lwn.net/SubscriberLink/841664/0ba4265680b9dadf/
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (122 preceding siblings ...)
2021-01-06 10:19 ` marmeladema
@ 2021-01-06 18:31 ` AngryPhantom
2021-01-06 18:32 ` AngryPhantom
` (17 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: AngryPhantom @ 2021-01-06 18:31 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 269 bytes --]
New comment by AngryPhantom on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-755484270
Comment:
Another (Gentoo) read is [here](https://www.gentoo.org/support/news-items/2021-01-05-libressl-support-discontinued.html).
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (123 preceding siblings ...)
2021-01-06 18:31 ` AngryPhantom
@ 2021-01-06 18:32 ` AngryPhantom
2021-02-11 0:48 ` kawaiiamber
` (16 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: AngryPhantom @ 2021-01-06 18:32 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 343 bytes --]
New comment by AngryPhantom on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-755484270
Comment:
Another (Gentoo) read is [here](https://www.gentoo.org/support/news-items/2021-01-05-libressl-support-discontinued.html).
P.S. Sorry, it can be already mentioned via link in the comment above.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (124 preceding siblings ...)
2021-01-06 18:32 ` AngryPhantom
@ 2021-02-11 0:48 ` kawaiiamber
2021-02-11 1:02 ` eli-schwartz
` (15 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: kawaiiamber @ 2021-02-11 0:48 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 340 bytes --]
New comment by kawaiiamber on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-777139270
Comment:
I don't really know too much about the fine details, but all I hope is that VOID might at least keep LibreSLL as an option? For me at least, LibreSLL was one of the main selling points of VOID.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (125 preceding siblings ...)
2021-02-11 0:48 ` kawaiiamber
@ 2021-02-11 1:02 ` eli-schwartz
2021-02-11 1:06 ` kawaiiamber
` (14 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: eli-schwartz @ 2021-02-11 1:02 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 629 bytes --]
New comment by eli-schwartz on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-777143677
Comment:
There's no such thing as keeping it as an option. Every application that links to the ssl libraries needs to either link to one or the other. It's possible to have both, and for some programs to link to one and some to link to the other, but you cannot just swap them out.
If you want to have a version of Void Linux that uses libressl while the main version of Void uses openssl, then it does indeed need to be a version of the entire OS. It would be like the musl/glibc split.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (126 preceding siblings ...)
2021-02-11 1:02 ` eli-schwartz
@ 2021-02-11 1:06 ` kawaiiamber
2021-02-11 1:13 ` eli-schwartz
` (13 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: kawaiiamber @ 2021-02-11 1:06 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 756 bytes --]
New comment by kawaiiamber on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-777144799
Comment:
> There's no such thing as keeping it as an option. Every application that links to the ssl libraries needs to either link to one or the other. It's possible to have both, and for some programs to link to one and some to link to the other, but you cannot just swap them out.
>
> If you want to have a version of Void Linux that uses libressl while the main version of Void uses openssl, then it does indeed need to be a version of the entire OS. It would be like the musl/glibc split.
I see. It would increase the things to maintain to:
`VOID`
`VOID-musl`
`VOID-LibreSSL`
`VOID-LibreSSL-musl`
then.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (127 preceding siblings ...)
2021-02-11 1:06 ` kawaiiamber
@ 2021-02-11 1:13 ` eli-schwartz
2021-02-11 1:28 ` ericonr
` (12 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: eli-schwartz @ 2021-02-11 1:13 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 346 bytes --]
New comment by eli-schwartz on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-777146685
Comment:
More or less.
Some packages could be shared between openssl and libressl spins (if they don't link to libssl.so and friends) but it would be less effort to rebuild everything anyway I'm guessing.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (128 preceding siblings ...)
2021-02-11 1:13 ` eli-schwartz
@ 2021-02-11 1:28 ` ericonr
2021-02-22 9:12 ` mikhailnov
` (11 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: ericonr @ 2021-02-11 1:28 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 476 bytes --]
New comment by ericonr on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-777150801
Comment:
Most of the listed pros in the top post lead to a decrease in the maintenance burden related to the library that provides the "OpenSSL API" (LibreSSL's ABI breaks, patching external software, etc). If someone wishes to maintain a `void-libressl` distro after such a switch has happened, I can't see it being anything but a Void fork.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (129 preceding siblings ...)
2021-02-11 1:28 ` ericonr
@ 2021-02-22 9:12 ` mikhailnov
2021-03-01 20:36 ` Logarithmus
` (10 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: mikhailnov @ 2021-02-22 9:12 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 337 bytes --]
New comment by mikhailnov on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-783221066
Comment:
> It's possible to have both, and for some programs to link to one and some to link to the other
Only for some. It will lead to mixture of 2 different libssls in one runtime in many cases.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (130 preceding siblings ...)
2021-02-22 9:12 ` mikhailnov
@ 2021-03-01 20:36 ` Logarithmus
2021-03-01 20:44 ` Logarithmus
` (9 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Logarithmus @ 2021-03-01 20:36 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 289 bytes --]
New comment by Logarithmus on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-788256319
Comment:
How do libressl & openssl compare in terms of code lines count?
Also isn't libressl source code better? Or did the matters change since 2014?
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (131 preceding siblings ...)
2021-03-01 20:36 ` Logarithmus
@ 2021-03-01 20:44 ` Logarithmus
2021-03-01 21:06 ` eli-schwartz
` (8 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Logarithmus @ 2021-03-01 20:44 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 669 bytes --]
New comment by Logarithmus on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-788256319
Comment:
How do libressl & openssl compare in terms of code lines count?
Also isn't libressl source code better? Or did the matters change since 2014?
If I understood correctly, the main reason to abandon libressl is maintainance burden. OK, then why support `musl` then?
I use `musl` myself because it's lightweight & its source code is easy to read, compared to `glibc`. But unfortunately it seems that majority of developers don't care about POSIX compliance at all. IMHO `musl` patches are PITA much more than `libressl`.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (132 preceding siblings ...)
2021-03-01 20:44 ` Logarithmus
@ 2021-03-01 21:06 ` eli-schwartz
2021-03-01 21:27 ` ericonr
` (7 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: eli-schwartz @ 2021-03-01 21:06 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 581 bytes --]
New comment by eli-schwartz on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-788284343
Comment:
> How do libressl & openssl compare in terms of code lines count?
libressl is lots fewer lines, because they removed all the speed on the grounds that it is code bloat?
> Or did the matters change since 2014?
Read the first sentence of the first post in this issue. For the first time -- since it seems you haven't yet read it at all. This was explicitly answered and is in fact the foundational premise of the discussion.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (133 preceding siblings ...)
2021-03-01 21:06 ` eli-schwartz
@ 2021-03-01 21:27 ` ericonr
2021-09-19 13:10 ` dm17
` (6 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: ericonr @ 2021-03-01 21:27 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 1136 bytes --]
New comment by ericonr on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-788306581
Comment:
> If I understood correctly, the main reason to abandon libressl is maintainance burden. OK, then why support musl then?
I use musl myself because it's lightweight & its source code is easy to read, compared to glibc. But unfortunately it seems that majority of developers don't care about POSIX compliance at all. IMHO musl patches are PITA much more than libressl.
C standard libraries have a standard to follow (POSIX, SUS, whatever BSD extensions), however loosely, which makes them at least somewhat homogeneous. musl also considerably affects the entirety of the resulting system: lower memory footprint, less dependency on arbitrary config files spread throughout the file system, and better resilience towards resource exhaustion. On 32-bit systems it also provides y2038 support, once we update that :p
LibreSSL and OpenSSL implement an "arbitrary" API, with obscure versioning and extremely weird usage, and using LibreSSL has removed functionality from many packages we ship.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (134 preceding siblings ...)
2021-03-01 21:27 ` ericonr
@ 2021-09-19 13:10 ` dm17
2021-09-19 16:07 ` Vaelatern
` (5 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: dm17 @ 2021-09-19 13:10 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 695 bytes --]
New comment by dm17 on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-922471439
Comment:
> > LibreSSL is not a bad project at all, it’s just that it’s meant for OpenBSD.
>
> 100% agree
I can think of another option... What if we reached out to Hyperbola, KISS Linux, Gentoo, and others - to see how many might want to contribute to a LibreSSL port done right for Linux. Just promote it as a potential project so it can be seen... And then no harm no foul if it doesn't get enough support?
The conclusions in this thread make sense, but one thing that is left out is the free potential of organizing interested & motivated parties.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (135 preceding siblings ...)
2021-09-19 13:10 ` dm17
@ 2021-09-19 16:07 ` Vaelatern
2021-09-19 16:07 ` Vaelatern
` (4 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Vaelatern @ 2021-09-19 16:07 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 207 bytes --]
New comment by Vaelatern on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-922497530
Comment:
@dm17 , you are welcome to spend your effort to this approach.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (136 preceding siblings ...)
2021-09-19 16:07 ` Vaelatern
@ 2021-09-19 16:07 ` Vaelatern
2021-09-19 16:07 ` Vaelatern
` (3 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Vaelatern @ 2021-09-19 16:07 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 207 bytes --]
New comment by Vaelatern on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-922497530
Comment:
@dm17 , you are welcome to spend your effort on this approach.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (137 preceding siblings ...)
2021-09-19 16:07 ` Vaelatern
@ 2021-09-19 16:07 ` Vaelatern
2021-09-19 17:31 ` mgorny
` (2 subsequent siblings)
141 siblings, 0 replies; 143+ messages in thread
From: Vaelatern @ 2021-09-19 16:07 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 281 bytes --]
New comment by Vaelatern on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-922497530
Comment:
@dm17 , you are welcome to spend your effort on this approach. Void is unlikely to switch back, since that is additional effort as well.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (138 preceding siblings ...)
2021-09-19 16:07 ` Vaelatern
@ 2021-09-19 17:31 ` mgorny
2021-09-20 18:17 ` bugcrazy
2021-09-20 18:32 ` Duncaen
141 siblings, 0 replies; 143+ messages in thread
From: mgorny @ 2021-09-19 17:31 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 326 bytes --]
New comment by mgorny on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-922508976
Comment:
@dm17, the problem is not "port done wrong". The problem is lack of compatibility and lack of interest *upstream* to maintain compatibility with two similar-but-incompatible libraries.
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (139 preceding siblings ...)
2021-09-19 17:31 ` mgorny
@ 2021-09-20 18:17 ` bugcrazy
2021-09-20 18:32 ` Duncaen
141 siblings, 0 replies; 143+ messages in thread
From: bugcrazy @ 2021-09-20 18:17 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 570 bytes --]
New comment by bugcrazy on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-923165612
Comment:
@dm17, the problem is that corporations dominate mainstream software, they don't want plurality, they like to centralize, to force the use of software monoculture. There are problems with the Libressl team forcing only on OpenBSD, but on the other hand in the Linux world, there is no unity and innovation on the part of the community, what there is are corporations dictating the rules, what goes in and out of the distros!
^ permalink raw reply [flat|nested] 143+ messages in thread
* Re: [RFC] Switching back to OpenSSL
2020-04-12 21:44 [ISSUE] [RFC] Switching back to OpenSSL Johnnynator
` (140 preceding siblings ...)
2021-09-20 18:17 ` bugcrazy
@ 2021-09-20 18:32 ` Duncaen
141 siblings, 0 replies; 143+ messages in thread
From: Duncaen @ 2021-09-20 18:32 UTC (permalink / raw)
To: ml
[-- Attachment #1: Type: text/plain, Size: 272 bytes --]
New comment by Duncaen on void-packages repository
https://github.com/void-linux/void-packages/issues/20935#issuecomment-923177024
Comment:
We are still waiting on our paychecks, but the switch back to openssl was finalized and there is no need to further discuss this.
^ permalink raw reply [flat|nested] 143+ messages in thread