Em janeiro 29, 2017 20:04 Doug Newgard escreveu:

I haven't heard all that much from/about LibreSSL since shortly after the fork. Care to share what advantages it would bring, and at what cost?

The cost for rebuilding everything against OpenSSL 1.1 will probably be a big one. For LibreSSL, it would be even bigger. I think the main advantage, right away, is that LibreSSL has a considerably better security track, specially after their huge flensing. I can only dream about the bugs that might lurk on both OpenSSL 1.1 and LibreSSL. But the defensive approach OpenBSD takes on LibreSSL already has paid off in terms of CVE's that didn't affected it, but were high/critical issues on OpenSSL. It would be a considerable effort, but since there will be some for 1.1, I thought this to be the perfect opportunity for pushing an effort for LibreSSL instead. I'm as of know searching Void and Alpine bug trackers for learning the issues they faced (we should/could learn from theirs). We would probably need to bootstrap the core tools like makepkg, pacman, curl, etc with static OpenSSL support for a while, to make sure users can smoothly upgrade. Otherwise, I expect LibreSSL to be as much compatible with the userland software as OpenSSL is. Cheers, Giancarlo Razzolini

Em janeiro 30, 2017 1:05 Allan McRae escreveu:

Please cite one example. Every CVE I have seen that is of at least high severity has affected both. There have been some low severity ones only affecting openssl.

Even worse, the fix time for libressl in the couple of issues I monitored was worse than openssl.

I don't have a ready list, but I can make one, sure. One thing I can say is that it wasn't *every*[0] high/critical CVE that affected both libraries. And yes, I presume fix time will be somewhat worse than OpenSSL's, because it is a portable version of a library mainly focused on OpenBSD. As I said, it is a suggestion for us to consider instead of going OpenSSL 1.1 way. Both will be hard, but I think in the end we would be better off using LibreSSL. Cheers, Giancarlo Razzolini [0] https://en.wikipedia.org/wiki/LibreSSL

Em fevereiro 11, 2017 6:36 Pierre Schmitz escreveu:

For now I'd like to keep openssl. This might change when upstream projects might switch to libressl. ATM I do not see an objective reason to do so. If it is a drop in replacement a separate package could be provided.

Sure, as I said, it was just an idea. LibreSSL is mostly a drop-in replacement, I was taking some time to analyze void and alpine switch and they had some issues that they sorted out. OpenBSD had the same issue with their ports (several patches were sent upstream) and they detected several poorly usage of the OpenSSL library. Some of the poor usage was bad coding practices, and some was because the library itself allowed. I think most upstream projects won't change to LibreSSL, either OpenSSL compatible, or their libtls, for lack of interest in changing the status quo. For some projects there is also money involved, but that's another issue entirely. I don't know if this is a chicken-egg issue, because downstream doesn't switch to LibreSSL because upstream doesn't use LibreSSL, and so on. The main reason to switch would be better security overall. But a secondary effect of that would be to force upstream hand to either code properly or use a different library altogether. If you are willing I could try to create a separate LibreSSL package, so individual maintainers could build against either. I just don't see it being sustainable on the long run. Cheers, Giancarlo Razzolini

Pierre Schmitz on Sat, 2017/02/11 09:32:

On 29.01.2017 21:49, Pierre Schmitz wrote:

...

Hi,

I'd like to propose a migration to OpenSSL 1.1. The update comes with ABI and API changes. Every linked packages needs to be rebuild. There will likely be broken packages. Once the protobuf* rebuild has left the [staging] repo I would like to upload a first set of OpenSSL 1.1 packages.

I have created a todo list of packages that either have a direct dependency on openssl or link to libssl.so.1.0.0 or libcrypto.so.1.0.0: https://www.archlinux.org/todo/openssl-110-rebuild/

I will push the first set of packages to [staging]. Please avoid doing other rebuilds until this one is done.

Are you interested in details? I have a working version of openvpn, but it requires heavy patching. I will wait for version 2.4.1 which has a lot of preparation (and with some luck is ported completly). Will push an openssl rebuild then. If anybody is interested... Raise your hands and let me know, I can provide packages for testing. Mariadb is still unsolved. There is a ticket in upstream jira [0] but it does not carry anything useful. There's a reference for a review, but I could not find the patch in mail archive. Will try to contact the developers and express our interest... Mupdf is a burden to maintain due to build system, bundled libraries and static linking. Looks like upstream is not yet interested in openssl 1.1.0... As I do not use it currently this will move to [community] if no one steps up. [0] https://jira.mariadb.org/browse/MDEV-10332 -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}

Antonio Rojas on Thu, 2017/02/23 21:42:

El Thu, 23 Feb 2017 22:29:17 +0100, Christian Hesse escribió:

...

Mariadb is still unsolved. There is a ticket in upstream jira [0] but it does not carry anything useful. There's a reference for a review, but I could not find the patch in mail archive. Will try to contact the developers and express our interest...

In the meantime, is temporarily switching to internal yassl (as Debian does) an option? This is blocking all Qt rebuilds (which will also be a pain themselves), so it would be nice to have a build in staging soonish.

Ah, did not know this is a huge blocker. I will try. -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}

On Thu, Feb 23, 2017 at 10:29:17PM +0100, Christian Hesse wrote:

...

I will push the first set of packages to [staging]. Please avoid doing other rebuilds until this one is done.

Are you interested in details?

FWIW, Debian stretch has openssl 1.1.0, so I guess they had to adapt lots of packages.

Mariadb is still unsolved. There is a ticket in upstream jira [0] but it does not carry anything useful. There's a reference for a review, but I could not find the patch in mail archive. Will try to contact the developers and express our interest...

The debian package uses `-DWITH_SSL=bundled` [1] to avoid linking with the system-wide openssl. Not a great solution, though.

Mupdf is a burden to maintain due to build system, bundled libraries and static linking. Looks like upstream is not yet interested in openssl 1.1.0... As I do not use it currently this will move to [community] if no one steps up.

Can't you just drop the dependency on openssl? What is it used for? As far as I can tell, Debian does not build mupdf against openssl: root@stretch:~# apt show mupdf Package: mupdf Version: 1.9a+ds1-4 Depends: libc6 (>= 2.15), libfreetype6 (>= 2.6), libharfbuzz0b (>= 0.9.11), libjbig2dec0 (>= 0.11), libjpeg62-turbo (>= 1.3.1), libopenjp2-7 (>= 2.0.0), libx11-6, libxext6, zlib1g (>= 1:1.2.0) root@stretch:~# ldd /usr/lib/mupdf/mupdf-x11 | grep ssl root@stretch:~# ldd /usr/lib/mupdf/mupdf-x11 | grep crypto root@stretch:~# I just tested building the package without openssl support (I had to patch out references to openssl and libcrypto from Makerules, since openssl is part of the base chroot when building), and it seems to work fine. Baptiste [1] https://packages.debian.org/stretch/libmariadbclient18

Christian Hesse on Thu, 2017/02/23 22:29:

I have a working version of openvpn, but it requires heavy patching. I will wait for version 2.4.1 which has a lot of preparation (and with some luck is ported completly). Will push an openssl rebuild then. If anybody is interested... Raise your hands and let me know, I can provide packages for testing.

I am not sure about the amount of spare time I will have in about two weeks. So I decided to push the patches now... -- main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH" "CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];) putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}

[2017-04-22 18:05:27 +0200] Sébastien Luttringer:

When do you plan to move openssl rebuild out of testing?

Quoting arojas on IRC: 2017-04-20 09:11:27 arojas: current blocker for openssl if FS#53618 2017-04-20 09:11:47 arojas: someone needs to decide whether we care about it or not, and if yes do something to fix it -- Gaetan

On 23.04.2017 03:30, Allan McRae wrote:

On 23/04/17 08:07, Gaetan Bisson wrote:

...

[2017-04-22 18:05:27 +0200] Sébastien Luttringer:

...

When do you plan to move openssl rebuild out of testing?

Quoting arojas on IRC:

2017-04-20 09:11:27 arojas: current blocker for openssl if FS#53618 2017-04-20 09:11:47 arojas: someone needs to decide whether we care about it or not, and if yes do something to fix it

Given there is a workaround, a news item should be posted and we should stop blocking the entire distribution with this rebuild.

Allan

This is fine by me. I cannot reproduce the error with Steam. See my comment at https://bugs.archlinux.org/task/53618 Does anybody have more input on this? Even if games try to access the system library rather than the steam ones, this is more of game or steam bug. Pierre -- Pierre Schmitz, https://pierre-schmitz.com

On Thu, 02 Mar 2017 at 07:05:44, Lukas Fleischer wrote:

What is the plan for packages where upstream is dead or reluctant to migrate to OpenSSL 1.1.0 (see e.g. [1])? Are we going to ship a legacy openssl-compat (or libressl) package for a while?

It seems like there already is an openssl-1.0 package [1]. This makes everything much easier. Thanks. [1] https://www.archlinux.org/packages/?q=openssl-1.0

On 2017-03-25 13:50, Jerome Leclanche wrote:

On Sat, Mar 25, 2017 at 2:46 PM, Lukas Fleischer wrote:

...

Hi,

I just moved the OpenSSL 1.1.0 and libgit2 0.25 rebuilds to [testing]. Please report issues to the bug tracker.

Regards, Lukas

Heads up, uwsgi breaks with OpenSSL 1.1: https://github.com/unbit/uwsgi/issues/1395

This is fixed in uwsgi 2.0.15 which is not released yet (cf comments). J. Leclanche

Unless I missed something, we backported the patch that make it work with latest OpenSSL. Otherwise we wouldn't move the rebuild from staging…