libressl

libressl

[Danny Milosavljevic]

Hi,

with these openssl security problems lately that don't affect libressl, wouldn't it be better to just use libressl as input everywhere? For the non-removed API, it's compatible, and they merge fixes from openssl anyway - and the attack surface is smaller. (the ABI differs - so it's not advisable to just replace the openssl binary without recompilation of the clients)

Re: libressl

[Leo Famulari]

On Wed, Mar 02, 2016 at 12:03:17PM +0100, Danny Milosavljevic wrote:
> Hi,
> 
> with these openssl security problems lately that don't affect
> libressl, wouldn't it be better to just use libressl as input
> everywhere? For the non-removed API, it's compatible, and they merge
> fixes from openssl anyway - and the attack surface is smaller. (the
> ABI differs - so it's not advisable to just replace the openssl binary
> without recompilation of the clients)

If a Scheme wizard can programatically replace all references of openssl
to libressl in the code base, I would be interested in testing it
locally.

Re: libressl

[Andreas Enge]

On Wed, Mar 02, 2016 at 02:15:04PM -0500, Leo Famulari wrote:
> If a Scheme wizard can programatically replace all references of openssl
> to libressl in the code base, I would be interested in testing it
> locally.

Testing is easy: Just rename the "libressl" variable to "openssl", and the
"openssl" variable to "libressl" (or anything else, since nothing depends
on libressl so far).

The real patch is a question of search and replace in the text files.

Andreas

Re: libressl

[Leo Famulari]

On Wed, Mar 02, 2016 at 08:31:22PM +0100, Andreas Enge wrote:
> On Wed, Mar 02, 2016 at 02:15:04PM -0500, Leo Famulari wrote:
> > If a Scheme wizard can programatically replace all references of openssl
> > to libressl in the code base, I would be interested in testing it
> > locally.
> 
> Testing is easy: Just rename the "libressl" variable to "openssl", and the
> "openssl" variable to "libressl" (or anything else, since nothing depends
> on libressl so far).

`grep -rI openssl gnu/packages | wc -l` -> 152, which is much less than
I expected. Indeed I could do that with regular text replacement.

> 
> The real patch is a question of search and replace in the text files.
> 
> Andreas
> 

Re: libressl

[Nils Gillmann]

Is it that easy though? I would be surprised, as the process -
maybe, most likely, also due to the incredible weird structures
of portage policies and politics - to move the packages in Gentoo
portage from openssl to handle openssl AND libressl as a one or
the other selection option, turns out to take some time now and
some packages (in gentoo) do depend on it in a way that they need
to be patched to fully work or they have security concerns, for
example in the case of tor (or was it bitcoin? or both?).

Tracking libressl on OpenBSD, Gentoo, and other bugtracker
platforms should be something necessary to do and check before
somebody goes ahead and fully replaces openssl with libressl
here.

I would be really glad to have a system with libressl, that's
something I wanted for gentoo for some time now and I am still
waiting for the whole meta KDE Plasma-5.5.5 and some other
applications (I think 4 months ago it was ~30 I needed to wait
for) to get libressl support. Could be changed now, as the
general acceptance and the speed to get libressl into Gentoo
portage packages picked up since, so maybe my warning is just
based on me trying too much on Gentoo when it was still a side
testing project, where it is now an official project.


-- 
ng
irc://loupsycedyglgamf.onion:67/~NiAsterisk
https://psyced.org:34443/NiAsterisk/
EDN: https://wiki.c3d2.de/Echt_Dezentrales_Netz/en

Re: libressl

[Leo Famulari]

On Wed, Mar 02, 2016 at 10:00:31PM +0100, Nils Gillmann wrote:
> Is it that easy though? I would be surprised, as the process -
> maybe, most likely, also due to the incredible weird structures
> of portage policies and politics - to move the packages in Gentoo
> portage from openssl to handle openssl AND libressl as a one or
> the other selection option, turns out to take some time now and
> some packages (in gentoo) do depend on it in a way that they need
> to be patched to fully work or they have security concerns, for
> example in the case of tor (or was it bitcoin? or both?).
> 
> Tracking libressl on OpenBSD, Gentoo, and other bugtracker
> platforms should be something necessary to do and check before
> somebody goes ahead and fully replaces openssl with libressl
> here.

I'm just thinking of doing it locally as an experiment, to see what
breaks, etc.

> 
> I would be really glad to have a system with libressl, that's
> something I wanted for gentoo for some time now and I am still
> waiting for the whole meta KDE Plasma-5.5.5 and some other
> applications (I think 4 months ago it was ~30 I needed to wait
> for) to get libressl support. Could be changed now, as the
> general acceptance and the speed to get libressl into Gentoo
> portage packages picked up since, so maybe my warning is just
> based on me trying too much on Gentoo when it was still a side
> testing project, where it is now an official project.
> 
> 
> -- 
> ng
> irc://loupsycedyglgamf.onion:67/~NiAsterisk
> https://psyced.org:34443/NiAsterisk/
> EDN: https://wiki.c3d2.de/Echt_Dezentrales_Netz/en
> 
> 

Re: libressl

[Ludovic Courtès]

Leo Famulari <leo@famulari.name> skribis:

> On Wed, Mar 02, 2016 at 12:03:17PM +0100, Danny Milosavljevic wrote:
>> Hi,
>> 
>> with these openssl security problems lately that don't affect
>> libressl, wouldn't it be better to just use libressl as input
>> everywhere? For the non-removed API, it's compatible, and they merge
>> fixes from openssl anyway - and the attack surface is smaller. (the
>> ABI differs - so it's not advisable to just replace the openssl binary
>> without recompilation of the clients)
>
> If a Scheme wizard can programatically replace all references of openssl
> to libressl in the code base, I would be interested in testing it
> locally.

You can also test with things like this (info "(guix) Package
Transformation Options"):

  guix build --with-input=openssl=libressl something

Ludo’.

Re: libressl

[Nils Gillmann]

Leo Famulari <leo@famulari.name> writes:

> On Wed, Mar 02, 2016 at 10:00:31PM +0100, Nils Gillmann wrote:
>> --snip--
>
> I'm just thinking of doing it locally as an experiment, to see what
> breaks, etc.
>
>> 
>> I would be really glad to have a system with libressl, that's
>> something I wanted for gentoo for some time now and I am still
>> waiting for the whole meta KDE Plasma-5.5.5 and some other
>> applications (I think 4 months ago it was ~30 I needed to wait
>> for) to get libressl support. Could be changed now, as the
>> general acceptance and the speed to get libressl into Gentoo
>> portage packages picked up since, so maybe my warning is just
>> based on me trying too much on Gentoo when it was still a side
>> testing project, where it is now an official project.

I just tried to upgrade on Gentoo to libressl with the
development repository enabled and all unstable packages unmasked
and solved some issues and I'm still not able to rebuild world in
one easy try from the preview I get.
It will be fun though and puts some packages to practice.
It would be nice if we could have some automatized testing for
failure with an libressl branch which just replaces every
dependency on openssl with current libressl (current version
drops sslv3 and replaces sslv3 with tls1,2,2.1 usage from what I
read in the bugtracker for Gentoo) and see where patches are
needed in Guix until upstream has fixes.


-- 
ng
irc://loupsycedyglgamf.onion:67/~NiAsterisk
https://psyced.org:34443/NiAsterisk/
EDN: https://wiki.c3d2.de/Echt_Dezentrales_Netz/en

Re: libressl

[Andreas Enge]

On Wed, Mar 02, 2016 at 10:57:19PM +0100, Nils Gillmann wrote:
> It would be nice if we could have some automatized testing for
> failure with an libressl branch which just replaces every
> dependency on openssl with current libressl

Normally I would suggest to build such a branch on hydra, but we probably
do not have the resources now... So if Leo can make a test locally and
report back on what works and what breaks, this will be very nice.

Notice that with Guix, there is no problem in keeping both around, unlike
with traditional distributions: Packages that "just work" can use libressl,
others that need patches can be kept with openssl for the time being.
So we can switch over gradually.

Andreas

Re: libressl

[Nils Gillmann]

Andreas Enge <andreas@enge.fr> writes:

> On Wed, Mar 02, 2016 at 10:57:19PM +0100, Nils Gillmann wrote:
>> ...
> Notice that with Guix, there is no problem in keeping both around, unlike
> with traditional distributions: Packages that "just work" can use libressl,
> others that need patches can be kept with openssl for the time being.
> So we can switch over gradually.

Right, I forget about the cool features of this awesome new
world! No more fistshaking ad infinity like on Gentoo at the
moment. I could have libreboot there, but then I have to work
around this breakage and this and this and this... or just wait
and see if I am just not in the mood to test and see a system
fall apart like it did last time and revert all the changes.

>
> Andreas
>
>
>

-- 
ng
irc://loupsycedyglgamf.onion:67/~NiAsterisk
https://psyced.org:34443/NiAsterisk/
EDN: https://wiki.c3d2.de/Echt_Dezentrales_Netz/en