unofficial mirror of bug-guix@gnu.org 
 help / color / mirror / code / Atom feed
From: "Ludovic Courtès" <ludo@gnu.org>
To: Vagrant Cascadian <vagrant@debian.org>
Cc: 34717@debbugs.gnu.org
Subject: bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others
Date: Fri, 08 Mar 2019 11:08:34 +0100	[thread overview]
Message-ID: <87bm2lispp.fsf@gnu.org> (raw)
In-Reply-To: <87ftrzuxmh.fsf@ponder> (Vagrant Cascadian's message of "Wed, 06 Mar 2019 20:17:10 -0800")

Hi

Vagrant Cascadian <vagrant@debian.org> skribis:

> On 2019-03-06, Ludovic Courtès wrote:

[...]

>> openssl@1.0 has 7,029 dependent packages, so it may be hard to sort it
>> out.  I wonder what would be the best way to approach it.
>
> How many of them are also license:gpl* though? That would hopefully
> reduce the scope somewhat, or maybe even significantly...
>
> If "guix package --search= ..." could be extended to to also search
> other fields, e.g. license: and dependencies: ... it might not be so
> difficult a search.

Here’s an estimate:

--8<---------------cut here---------------start------------->8---
$ guix package -s "" |recsel -e 'license ~ "GPL"' -e 'dependencies ~ "openssl"' |grep ^name| wc -l
265
--8<---------------cut here---------------end--------------->8---

You can view the list of packages like this:

--8<---------------cut here---------------start------------->8---
guix package -s "" |recsel -e 'license ~ "GPL"' -e 'dependencies ~ "openssl"' -p name,version
--8<---------------cut here---------------end--------------->8---

>>> In the Debian u-boot packaging, some of the features using openssl are
>>> disabled, and some of the u-boot targets that require openssl are not
>>> part of the packages. I'd be happy to help with making such adjustments
>>> if this is deemed the better approach for u-boot specifically.
>>
>> That’d be great.  We could definitely remove the OpenSSL dependency when
>> it’s not needed.
>
> For what it's worth, I did do local builds of all the current u-boot-*
> targets in guix with openssl removed from inputs, and the only one that
> failed to build without openssl was u-boot-tools.

Not that bad!

>> In cases where it is needed, it would be nice to see what it’s used
>> for.  Many projects use OpenSSL just for its cryptographic hash
>> functions, for example, and there’s plenty of options to choose from if
>> that’s all that’s needed (Gcrypt, Nettle, etc.).
>
> I think it is using it for generating and verifying rsa signatures, and
> probably other similar basic things. So far I had only thought about
> gnutls, but if gcrypt or nettle are other options, then so much the
> better.
>
> I briefly looked at gnutls's openssl compatibility layers, but it didn't
> seem to implement sufficiently similar include files, which is largely
> all that it is doing.

Yeah, GnuTLS’ OpenSSL compat layer has been bitrotting since forever.

But really rather than GnuTLS they should target one of these crypto
libraries, which seem to be a better fit.

>> I guess this should be discussed with upstream.
>
> I did bring it upstream a little over a year ago, and the response was
> pretty much to rewrite it with gnutls, and I pointed out the most likely
> files that needed updating:
>
>   https://lists.denx.de/pipermail/u-boot/2017-November/312483.html
>   https://lists.denx.de/pipermail/u-boot/2017-December/313616.html
>   https://lists.denx.de/pipermail/u-boot/2017-December/313742.html
>
> I suspect it's pretty much a "patches accepted" sort of scenario.

I guess “we” should consider doing it at some point.  Changing the RSA
signature code to use another API can’t be that hard™.  ;-)

I see from the message above that PEM encoding/decoding may also be
needed, which Gcrypt doesn’t provide.

Thanks,
Ludo’.

  parent reply	other threads:[~2019-03-08 10:09 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-03  1:58 bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others Vagrant Cascadian
2019-03-06 15:15 ` Ludovic Courtès
2019-03-06 18:12   ` Danny Milosavljevic
2019-03-08  9:59     ` Ludovic Courtès
2019-03-07  4:17   ` Vagrant Cascadian
2019-03-07 23:02     ` Vagrant Cascadian
2019-03-08 10:23       ` Ludovic Courtès
2019-03-08 19:14         ` Vagrant Cascadian
2019-03-09 21:57           ` Ludovic Courtès
2019-03-09 23:10             ` Vagrant Cascadian
2019-03-10  3:58               ` Jack Hill
2019-03-10 17:12               ` Ludovic Courtès
     [not found]         ` <87y26loa74.fsf@yucca>
     [not found]           ` <YXMgmR33gtyA8tgZ@jasmine.lan>
     [not found]             ` <87fsssoj6z.fsf@yucca>
2021-10-23  9:08               ` Maxime Devos
     [not found]           ` <87cznwoj2q.fsf@yucca>
     [not found]             ` <YXRmAoyt3X3DNTeX@jasmine.lan>
2021-10-24  8:50               ` Dr. Arne Babenhauserheide
2019-03-08 10:08     ` Ludovic Courtès [this message]
2019-03-08 10:16       ` Ludovic Courtès
2019-03-15 23:55     ` Adonay Felipe Nogueira

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87bm2lispp.fsf@gnu.org \
    --to=ludo@gnu.org \
    --cc=34717@debbugs.gnu.org \
    --cc=vagrant@debian.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).