[arch-general] openssl 3 -- status?
Be terrific if someone could provide an update on where things stand for arch migration to Openssl 3? We're coming up on the 1 year anniversary of openssl 3 with 3.0.4 released last week. As I recall there was some work happening to ensure things continue to work properly. My loose understanding is that openssl 3 has ABI changes but the API changes seem to be quite limited. The arch tracker site [1] shows 26 core packages as incomplete - though it's bit unclear from the site what the actual problems are. It also shows many many other packages similarly "incomplete" Fedora 36, which was released May 10 this year is, I believe, built against openssl 3. This at least strongly suggests that most "normal" packages work fine with rebuild of recent versions. We always have recent versions :) Taking a couple of examples from the tracker page [1]: 1) openssh shows the current version as incomplete. The openssh docs suggest openssl 3 support was made available in version 8.1p1 while it was still in dev. 2) cryptsetup - seems to be compatible as of 2.4.0. current version is 2.4.3). Only reference I found was redhat [2] 3) kmod - was unable to find any known issues. fedora 36 kmod is built against openssl 3 and it presumably is ok. 4) systemd - best I can tell there were some issues but they have been resolved (including license issues) 1 example is [3] Be great to get an update from those who, unlike me, really know :) thanks gene [1] https://archlinux.org/todo/openssl-30/ [2] https://bugzilla.redhat.com/show_bug.cgi?id=1975799 [3] https://github.com/systemd/systemd/issues/21666
On Mon, Jun 27, 2022 at 8:59 PM Genes Lists via arch-general < arch-general@lists.archlinux.org> wrote:
Be terrific if someone could provide an update on where things stand for arch migration to Openssl 3?
We're coming up on the 1 year anniversary of openssl 3 with 3.0.4 released last week. As I recall there was some work happening to ensure things continue to work properly.
My loose understanding is that openssl 3 has ABI changes but the API changes seem to be quite limited.
The arch tracker site [1] shows 26 core packages as incomplete - though it's bit unclear from the site what the actual problems are. It also shows many many other packages similarly "incomplete"
Fedora 36, which was released May 10 this year is, I believe, built against openssl 3. This at least strongly suggests that most "normal" packages work fine with rebuild of recent versions. We always have recent versions :)
Taking a couple of examples from the tracker page [1]:
1) openssh shows the current version as incomplete. The openssh docs suggest openssl 3 support was made available in version 8.1p1 while it was still in dev.
2) cryptsetup - seems to be compatible as of 2.4.0. current version is 2.4.3). Only reference I found was redhat [2]
3) kmod - was unable to find any known issues. fedora 36 kmod is built against openssl 3 and it presumably is ok.
4) systemd - best I can tell there were some issues but they have been resolved (including license issues) 1 example is [3]
Be great to get an update from those who, unlike me, really know :)
thanks
gene
[1] https://archlinux.org/todo/openssl-30/ [2] https://bugzilla.redhat.com/show_bug.cgi?id=1975799 [3] https://github.com/systemd/systemd/issues/21666
There is a parallel thread on the arch forums at https://bbs.archlinux.org/viewtopic.php?pid=2043167#p2043167 -- mike c
On 6/27/22 16:09, Mike Cloaked via arch-general wrote:
On Mon, Jun 27, 2022 at 8:59 PM Genes Lists via arch-general < arch-general@lists.archlinux.org> wrote:
Be terrific if someone could provide an update on where things stand for arch migration to Openssl 3?
Be great to get an update from those who, unlike me, really know :)
thanks
gene
[1] https://archlinux.org/todo/openssl-30/ [2] https://bugzilla.redhat.com/show_bug.cgi?id=1975799 [3] https://github.com/systemd/systemd/issues/21666
There is a parallel thread on the arch forums at https://bbs.archlinux.org/viewtopic.php?pid=2043167#p2043167
Not to mention the security problems with it: OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw https://www.theregister.com/2022/06/27/openssl_304_memory_corruption_bug/?utm_source=daily&utm_medium=newsletter&utm_content=article -- David C. Rankin, J.D.,P.E.
On 6/30/22 23:17, David C. Rankin via arch-general wrote: ...
Not to mention the security problems with it:
OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw
Thanks for bringing that up David. I am wondering if some folks might be leaning toward libressl, which at least did not (appear to) have the last few security issues that openssl suffered? Of course Theo de Raadt, who is driving libressl, was key in a similar effort with openssh. However, I suspect libressl, lacking FIPS support, will not gain sufficient traction - but who knows. gene
On 7/1/22 07:13, Genes Lists via arch-general wrote: anks for bringing that up David.
I am wondering if some folks might be leaning toward libressl, which at
Nope - Seems the original api/abi compat plan has long since fallen by the wayside so libressl is not viable as a replacement for openssl. never mind that one :) so back to openssl and awaiting 3.0.5
participants (3)
-
David C. Rankin
-
Genes Lists
-
Mike Cloaked