[arch-dev-public] OpenSSL 1.1.0
Hi,
I'd like to propose a migration to OpenSSL 1.1. The update comes with ABI and API changes. Every linked packages needs to be rebuild. There will likely be broken packages. Once the protobuf* rebuild has left the [staging] repo I would like to upload a first set of OpenSSL 1.1 packages.
I have created a todo list of packages that either have a direct dependency on openssl or link to libssl.so.1.0.0 or libcrypto.so.1.0.0: https://www.archlinux.org/todo/openssl-110-rebuild/
Further reading: * https://wiki.openssl.org/index.php/1.1_API_Changes * https://wiki.debian.org/OpenSSL-1.1 * https://lists.debian.org/debian-devel-announce/2016/11/msg00001.html * http://pkgs.fedoraproject.org/cgit/rpms/
*) https://www.archlinux.org/todo/protobuf-320/
Greetings,
Pierre
Em janeiro 29, 2017 18:49 Pierre Schmitz escreveu:
Hi,
I'd like to propose a migration to OpenSSL 1.1. The update comes with ABI and API changes.
I don't know if it ever was discussed, but did we ever considered LibreSSL instead? There are some distros out there using it already using, I think the most recent convert was Alpine.
I know it would be a bigger step than simply adopting OpenSSL 1.1, but I also think it would be a better move, since we need to rebuild everything anyway. There will be breakage in both cases, but I think there is more to gain by switching to LibreSSL.
Cheers, Giancarlo Razzolini
On Sun, 29 Jan 2017 21:43:18 +0000 Giancarlo Razzolini grazzolini@archlinux.org wrote:
Em janeiro 29, 2017 18:49 Pierre Schmitz escreveu:
Hi,
I'd like to propose a migration to OpenSSL 1.1. The update comes with ABI and API changes.
I don't know if it ever was discussed, but did we ever considered LibreSSL instead? There are some distros out there using it already using, I think the most recent convert was Alpine.
I know it would be a bigger step than simply adopting OpenSSL 1.1, but I also think it would be a better move, since we need to rebuild everything anyway. There will be breakage in both cases, but I think there is more to gain by switching to LibreSSL.
Cheers, Giancarlo Razzolini
I haven't heard all that much from/about LibreSSL since shortly after the fork. Care to share what advantages it would bring, and at what cost?
Em janeiro 29, 2017 20:04 Doug Newgard escreveu:
I haven't heard all that much from/about LibreSSL since shortly after the fork. Care to share what advantages it would bring, and at what cost?
The cost for rebuilding everything against OpenSSL 1.1 will probably be a big one. For LibreSSL, it would be even bigger. I think the main advantage, right away, is that LibreSSL has a considerably better security track, specially after their huge flensing.
I can only dream about the bugs that might lurk on both OpenSSL 1.1 and LibreSSL. But the defensive approach OpenBSD takes on LibreSSL already has paid off in terms of CVE's that didn't affected it, but were high/critical issues on OpenSSL.
It would be a considerable effort, but since there will be some for 1.1, I thought this to be the perfect opportunity for pushing an effort for LibreSSL instead.
I'm as of know searching Void and Alpine bug trackers for learning the issues they faced (we should/could learn from theirs). We would probably need to bootstrap the core tools like makepkg, pacman, curl, etc with static OpenSSL support for a while, to make sure users can smoothly upgrade. Otherwise, I expect LibreSSL to be as much compatible with the userland software as OpenSSL is.
Cheers, Giancarlo Razzolini
On 30/01/17 08:30, Giancarlo Razzolini wrote:
Em janeiro 29, 2017 20:04 Doug Newgard escreveu:
I haven't heard all that much from/about LibreSSL since shortly after the fork. Care to share what advantages it would bring, and at what cost?
The cost for rebuilding everything against OpenSSL 1.1 will probably be a big one. For LibreSSL, it would be even bigger. I think the main advantage, right away, is that LibreSSL has a considerably better security track, specially after their huge flensing.
I can only dream about the bugs that might lurk on both OpenSSL 1.1 and LibreSSL. But the defensive approach OpenBSD takes on LibreSSL already has paid off in terms of CVE's that didn't affected it, but were high/critical issues on OpenSSL.
Please cite one example. Every CVE I have seen that is of at least high severity has affected both. There have been some low severity ones only affecting openssl.
Even worse, the fix time for libressl in the couple of issues I monitored was worse than openssl.
A
Em janeiro 30, 2017 1:05 Allan McRae escreveu:
Please cite one example. Every CVE I have seen that is of at least high severity has affected both. There have been some low severity ones only affecting openssl.
Even worse, the fix time for libressl in the couple of issues I monitored was worse than openssl.
I don't have a ready list, but I can make one, sure. One thing I can say is that it wasn't *every*[0] high/critical CVE that affected both libraries.
And yes, I presume fix time will be somewhat worse than OpenSSL's, because it is a portable version of a library mainly focused on OpenBSD.
As I said, it is a suggestion for us to consider instead of going OpenSSL 1.1 way. Both will be hard, but I think in the end we would be better off using LibreSSL.
Cheers, Giancarlo Razzolini
On 30.01.2017 14:09, Giancarlo Razzolini wrote:
Em janeiro 30, 2017 1:05 Allan McRae escreveu:
Please cite one example. Every CVE I have seen that is of at least high severity has affected both. There have been some low severity ones only affecting openssl.
Even worse, the fix time for libressl in the couple of issues I monitored was worse than openssl.
I don't have a ready list, but I can make one, sure. One thing I can say is that it wasn't *every*[0] high/critical CVE that affected both libraries.
And yes, I presume fix time will be somewhat worse than OpenSSL's, because it is a portable version of a library mainly focused on OpenBSD.
As I said, it is a suggestion for us to consider instead of going OpenSSL 1.1 way. Both will be hard, but I think in the end we would be better off using LibreSSL.
Cheers, Giancarlo Razzolini
For now I'd like to keep openssl. This might change when upstream projects might switch to libressl. ATM I do not see an objective reason to do so. If it is a drop in replacement a separate package could be provided.
Greetings,
Pierre
Em fevereiro 11, 2017 6:36 Pierre Schmitz escreveu:
For now I'd like to keep openssl. This might change when upstream projects might switch to libressl. ATM I do not see an objective reason to do so. If it is a drop in replacement a separate package could be provided.
Sure, as I said, it was just an idea. LibreSSL is mostly a drop-in replacement, I was taking some time to analyze void and alpine switch and they had some issues that they sorted out. OpenBSD had the same issue with their ports (several patches were sent upstream) and they detected several poorly usage of the OpenSSL library.
Some of the poor usage was bad coding practices, and some was because the library itself allowed. I think most upstream projects won't change to LibreSSL, either OpenSSL compatible, or their libtls, for lack of interest in changing the status quo. For some projects there is also money involved, but that's another issue entirely.
I don't know if this is a chicken-egg issue, because downstream doesn't switch to LibreSSL because upstream doesn't use LibreSSL, and so on. The main reason to switch would be better security overall. But a secondary effect of that would be to force upstream hand to either code properly or use a different library altogether.
If you are willing I could try to create a separate LibreSSL package, so individual maintainers could build against either. I just don't see it being sustainable on the long run.
Cheers, Giancarlo Razzolini
On 29.01.2017 21:49, Pierre Schmitz wrote:
Hi,
I'd like to propose a migration to OpenSSL 1.1. The update comes with ABI and API changes. Every linked packages needs to be rebuild. There will likely be broken packages. Once the protobuf* rebuild has left the [staging] repo I would like to upload a first set of OpenSSL 1.1 packages.
I have created a todo list of packages that either have a direct dependency on openssl or link to libssl.so.1.0.0 or libcrypto.so.1.0.0: https://www.archlinux.org/todo/openssl-110-rebuild/
I will push the first set of packages to [staging]. Please avoid doing other rebuilds until this one is done.
Greetings,
Pierre
Pierre Schmitz pierre@archlinux.de on Sat, 2017/02/11 09:32:
On 29.01.2017 21:49, Pierre Schmitz wrote:
Hi,
I'd like to propose a migration to OpenSSL 1.1. The update comes with ABI and API changes. Every linked packages needs to be rebuild. There will likely be broken packages. Once the protobuf* rebuild has left the [staging] repo I would like to upload a first set of OpenSSL 1.1 packages.
I have created a todo list of packages that either have a direct dependency on openssl or link to libssl.so.1.0.0 or libcrypto.so.1.0.0: https://www.archlinux.org/todo/openssl-110-rebuild/
I will push the first set of packages to [staging]. Please avoid doing other rebuilds until this one is done.
Are you interested in details?
I have a working version of openvpn, but it requires heavy patching. I will wait for version 2.4.1 which has a lot of preparation (and with some luck is ported completly). Will push an openssl rebuild then. If anybody is interested... Raise your hands and let me know, I can provide packages for testing.
Mariadb is still unsolved. There is a ticket in upstream jira [0] but it does not carry anything useful. There's a reference for a review, but I could not find the patch in mail archive. Will try to contact the developers and express our interest...
Mupdf is a burden to maintain due to build system, bundled libraries and static linking. Looks like upstream is not yet interested in openssl 1.1.0... As I do not use it currently this will move to [community] if no one steps up.
[0] https://jira.mariadb.org/browse/MDEV-10332
El Thu, 23 Feb 2017 22:29:17 +0100, Christian Hesse escribió:
Mariadb is still unsolved. There is a ticket in upstream jira [0] but it does not carry anything useful. There's a reference for a review, but I could not find the patch in mail archive. Will try to contact the developers and express our interest...
In the meantime, is temporarily switching to internal yassl (as Debian does) an option? This is blocking all Qt rebuilds (which will also be a pain themselves), so it would be nice to have a build in staging soonish.
Antonio Rojas arojas@archlinux.org on Thu, 2017/02/23 21:42:
El Thu, 23 Feb 2017 22:29:17 +0100, Christian Hesse escribió:
Mariadb is still unsolved. There is a ticket in upstream jira [0] but it does not carry anything useful. There's a reference for a review, but I could not find the patch in mail archive. Will try to contact the developers and express our interest...
In the meantime, is temporarily switching to internal yassl (as Debian does) an option? This is blocking all Qt rebuilds (which will also be a pain themselves), so it would be nice to have a build in staging soonish.
Ah, did not know this is a huge blocker. I will try.
Christian Hesse list@eworm.de on Fri, 2017/02/24 13:37:
Antonio Rojas arojas@archlinux.org on Thu, 2017/02/23 21:42:
El Thu, 23 Feb 2017 22:29:17 +0100, Christian Hesse escribió:
Mariadb is still unsolved. There is a ticket in upstream jira [0] but it does not carry anything useful. There's a reference for a review, but I could not find the patch in mail archive. Will try to contact the developers and express our interest...
In the meantime, is temporarily switching to internal yassl (as Debian does) an option? This is blocking all Qt rebuilds (which will also be a pain themselves), so it would be nice to have a build in staging soonish.
Ah, did not know this is a huge blocker. I will try.
I pushed mariadb 10.1.21-2 to [testing]. Please give it a try...
On Thu, Feb 23, 2017 at 10:29:17PM +0100, Christian Hesse wrote:
I will push the first set of packages to [staging]. Please avoid doing other rebuilds until this one is done.
Are you interested in details?
FWIW, Debian stretch has openssl 1.1.0, so I guess they had to adapt lots of packages.
Mariadb is still unsolved. There is a ticket in upstream jira [0] but it does not carry anything useful. There's a reference for a review, but I could not find the patch in mail archive. Will try to contact the developers and express our interest...
The debian package uses `-DWITH_SSL=bundled` [1] to avoid linking with the system-wide openssl. Not a great solution, though.
Mupdf is a burden to maintain due to build system, bundled libraries and static linking. Looks like upstream is not yet interested in openssl 1.1.0... As I do not use it currently this will move to [community] if no one steps up.
Can't you just drop the dependency on openssl? What is it used for? As far as I can tell, Debian does not build mupdf against openssl:
root@stretch:~# apt show mupdf Package: mupdf Version: 1.9a+ds1-4 Depends: libc6 (>= 2.15), libfreetype6 (>= 2.6), libharfbuzz0b (>= 0.9.11), libjbig2dec0 (>= 0.11), libjpeg62-turbo (>= 1.3.1), libopenjp2-7 (>= 2.0.0), libx11-6, libxext6, zlib1g (>= 1:1.2.0) root@stretch:~# ldd /usr/lib/mupdf/mupdf-x11 | grep ssl root@stretch:~# ldd /usr/lib/mupdf/mupdf-x11 | grep crypto root@stretch:~#
I just tested building the package without openssl support (I had to patch out references to openssl and libcrypto from Makerules, since openssl is part of the base chroot when building), and it seems to work fine.
Baptiste
Baptiste Jonglez baptiste@bitsofnetworks.org on Thu, 2017/02/23 23:36:
Mupdf is a burden to maintain due to build system, bundled libraries and static linking. Looks like upstream is not yet interested in openssl 1.1.0... As I do not use it currently this will move to [community] if no one steps up.
Can't you just drop the dependency on openssl? What is it used for? As far as I can tell, Debian does not build mupdf against openssl:
Just did that and pushed to [community-testing].
With mupdf linked against openssl you have support for PKCS#7 which is used for digital signatures in PDF documents.
Christian Hesse list@eworm.de on Thu, 2017/02/23 22:29:
I have a working version of openvpn, but it requires heavy patching. I will wait for version 2.4.1 which has a lot of preparation (and with some luck is ported completly). Will push an openssl rebuild then. If anybody is interested... Raise your hands and let me know, I can provide packages for testing.
I am not sure about the amount of spare time I will have in about two weeks. So I decided to push the patches now...
On Sat, 2017-02-11 at 09:32 +0100, Pierre Schmitz wrote:
On 29.01.2017 21:49, Pierre Schmitz wrote:
Hi,
I'd like to propose a migration to OpenSSL 1.1. The update comes with ABI and API changes. Every linked packages needs to be rebuild. There will likely be broken packages. Once the protobuf* rebuild has left the [staging] repo I would like to upload a first set of OpenSSL 1.1 packages.
I have created a todo list of packages that either have a direct dependency on openssl or link to libssl.so.1.0.0 or libcrypto.so.1.0.0: https://www.archlinux.org/todo/openssl-110-rebuild/
I will push the first set of packages to [staging]. Please avoid doing other rebuilds until this one is done.
Greetings,
Pierre
When do you plan to move openssl rebuild out of testing?
Cheers,
-- Sébastien "Seblu" Luttringer
[2017-04-22 18:05:27 +0200] Sébastien Luttringer:
When do you plan to move openssl rebuild out of testing?
Quoting arojas on IRC:
2017-04-20 09:11:27 arojas: current blocker for openssl if FS#53618 2017-04-20 09:11:47 arojas: someone needs to decide whether we care about it or not, and if yes do something to fix it
On 23/04/17 08:07, Gaetan Bisson wrote:
[2017-04-22 18:05:27 +0200] Sébastien Luttringer:
When do you plan to move openssl rebuild out of testing?
Quoting arojas on IRC:
2017-04-20 09:11:27 arojas: current blocker for openssl if FS#53618 2017-04-20 09:11:47 arojas: someone needs to decide whether we care about it or not, and if yes do something to fix it
Given there is a workaround, a news item should be posted and we should stop blocking the entire distribution with this rebuild.
Allan
On 23.04.2017 03:30, Allan McRae wrote:
On 23/04/17 08:07, Gaetan Bisson wrote:
[2017-04-22 18:05:27 +0200] Sébastien Luttringer:
When do you plan to move openssl rebuild out of testing?
Quoting arojas on IRC:
2017-04-20 09:11:27 arojas: current blocker for openssl if FS#53618 2017-04-20 09:11:47 arojas: someone needs to decide whether we care about it or not, and if yes do something to fix it
Given there is a workaround, a news item should be posted and we should stop blocking the entire distribution with this rebuild.
Allan
This is fine by me. I cannot reproduce the error with Steam. See my comment at https://bugs.archlinux.org/task/53618 Does anybody have more input on this? Even if games try to access the system library rather than the steam ones, this is more of game or steam bug.
Pierre
On Sun, 29 Jan 2017 at 21:49:51, Pierre Schmitz wrote:
I'd like to propose a migration to OpenSSL 1.1. The update comes with ABI and API changes. Every linked packages needs to be rebuild. There will likely be broken packages. Once the protobuf* rebuild has left the [staging] repo I would like to upload a first set of OpenSSL 1.1 packages.
What is the plan for packages where upstream is dead or reluctant to migrate to OpenSSL 1.1.0 (see e.g. [1])? Are we going to ship a legacy openssl-compat (or libressl) package for a while?
Regards, Lukas
On Thu, 02 Mar 2017 at 07:05:44, Lukas Fleischer wrote:
What is the plan for packages where upstream is dead or reluctant to migrate to OpenSSL 1.1.0 (see e.g. [1])? Are we going to ship a legacy openssl-compat (or libressl) package for a while?
It seems like there already is an openssl-1.0 package [1]. This makes everything much easier. Thanks.
On Thu, 2017-03-02 at 20:06 +0100, Lukas Fleischer wrote:
On Thu, 02 Mar 2017 at 07:05:44, Lukas Fleischer wrote:
What is the plan for packages where upstream is dead or reluctant to migrate to OpenSSL 1.1.0 (see e.g. [1])? Are we going to ship a legacy openssl-compat (or libressl) package for a while?
It seems like there already is an openssl-1.0 package [1]. This makes everything much easier. Thanks.
To use this package you need to set PKG_CONFIG_PATH=/usr/lib/openssl- 1.0/pkgconfig. If your package doesn't use PKG_CONFIG_PATH to look for openssl you'll have to manually add -I/usr/include/openssl-1.0 to CFLAGS and -L/usr/lib/openssl-1.0 to LDFLAGS.
Also, make sure that your resulting package uses the correct library. You don't want to link to two different versions of OpenSSL. An example where this happens is ptlib/opal, Opal will happily compile against OpenSSL 1.1 while ptlib is compiled against 1.0 if no changes are made to opal.
Hi,
I just moved the OpenSSL 1.1.0 and libgit2 0.25 rebuilds to [testing]. Please report issues to the bug tracker.
Regards, Lukas
On Sat, Mar 25, 2017 at 2:46 PM, Lukas Fleischer lfleischer@archlinux.org wrote:
Hi,
I just moved the OpenSSL 1.1.0 and libgit2 0.25 rebuilds to [testing]. Please report issues to the bug tracker.
Regards, Lukas
Heads up, uwsgi breaks with OpenSSL 1.1: https://github.com/unbit/uwsgi/issues/1395
This is fixed in uwsgi 2.0.15 which is not released yet (cf comments). J. Leclanche
On 2017-03-25 13:50, Jerome Leclanche wrote:
On Sat, Mar 25, 2017 at 2:46 PM, Lukas Fleischer lfleischer@archlinux.org wrote:
Hi,
I just moved the OpenSSL 1.1.0 and libgit2 0.25 rebuilds to [testing]. Please report issues to the bug tracker.
Regards, Lukas
Heads up, uwsgi breaks with OpenSSL 1.1: https://github.com/unbit/uwsgi/issues/1395
This is fixed in uwsgi 2.0.15 which is not released yet (cf comments). J. Leclanche
Unless I missed something, we backported the patch that make it work with latest OpenSSL. Otherwise we wouldn't move the rebuild from staging…
participants (13)
-
Allan McRae
-
Antonio Rojas
-
Baptiste Jonglez
-
Bartłomiej Piotrowski
-
Christian Hesse
-
Doug Newgard
-
Gaetan Bisson
-
Giancarlo Razzolini
-
Jan de Groot
-
Jerome Leclanche
-
Lukas Fleischer
-
Pierre Schmitz
-
Sébastien Luttringer