* LibreSSL? @ 2022-03-29 16:39 Leo Famulari 2022-04-01 8:41 ` LibreSSL? Ludovic Courtès 0 siblings, 1 reply; 4+ messages in thread From: Leo Famulari @ 2022-03-29 16:39 UTC (permalink / raw) To: guix-devel I noticed that some Guix packages depend on LibreSSL, but it seems that we are not successfully keeping this package up to date with upstream security releases: https://www.libressl.org/releases.html Will anyone step up to maintain this package? Or should we remove it from Guix? ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: LibreSSL? 2022-03-29 16:39 LibreSSL? Leo Famulari @ 2022-04-01 8:41 ` Ludovic Courtès 2022-06-19 22:17 ` LibreSSL? Andreas Enge 0 siblings, 1 reply; 4+ messages in thread From: Ludovic Courtès @ 2022-04-01 8:41 UTC (permalink / raw) To: Leo Famulari; +Cc: guix-devel Hi, Leo Famulari <leo@famulari.name> skribis: > I noticed that some Guix packages depend on LibreSSL, but it seems that > we are not successfully keeping this package up to date with upstream > security releases: > > https://www.libressl.org/releases.html > > Will anyone step up to maintain this package? Or should we remove it > from Guix? At first sight, it looks like an easy-to-maintain package: no dependencies, few users, stable API. I tried to update it to 3.5.1 and was proved wrong though: there’s one test failure in ‘tests/asn1object’ and the Internet doesn’t seem to know how to address the problem. So it would need a bit more work. I’d lean towards keeping it and doing that extra work, collectively, but I understand this very discussion shows that it’s debatable. Ludo’. ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: LibreSSL? 2022-04-01 8:41 ` LibreSSL? Ludovic Courtès @ 2022-06-19 22:17 ` Andreas Enge 2022-06-20 10:44 ` LibreSSL? Efraim Flashner 0 siblings, 1 reply; 4+ messages in thread From: Andreas Enge @ 2022-06-19 22:17 UTC (permalink / raw) To: Ludovic Courtès; +Cc: Leo Famulari, guix-devel Hello, Am Fri, Apr 01, 2022 at 10:41:11AM +0200 schrieb Ludovic Courtès: > At first sight, it looks like an easy-to-maintain package: no > dependencies, few users, stable API. > > I tried to update it to 3.5.1 and was proved wrong though: there’s one > test failure in ‘tests/asn1object’ and the Internet doesn’t seem to know > how to address the problem. So it would need a bit more work. > > I’d lean towards keeping it and doing that extra work, collectively, but > I understand this very discussion shows that it’s debatable. at some point in time, my understanding was that we would switch everything to libressl and drop openssl. I have not followed, but from https://lwn.net/Articles/841664/ it looks as if the problems with openssl are more or less solved, at least they are not worse than in libressl. So an option would be to try to switch the existing dependencies to openssl and decide from there. What do you think? Andreas ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: LibreSSL? 2022-06-19 22:17 ` LibreSSL? Andreas Enge @ 2022-06-20 10:44 ` Efraim Flashner 0 siblings, 0 replies; 4+ messages in thread From: Efraim Flashner @ 2022-06-20 10:44 UTC (permalink / raw) To: Andreas Enge; +Cc: Ludovic Courtès, Leo Famulari, guix-devel [-- Attachment #1: Type: text/plain, Size: 1621 bytes --] On Mon, Jun 20, 2022 at 12:17:38AM +0200, Andreas Enge wrote: > Hello, > > Am Fri, Apr 01, 2022 at 10:41:11AM +0200 schrieb Ludovic Courtès: > > At first sight, it looks like an easy-to-maintain package: no > > dependencies, few users, stable API. > > > > I tried to update it to 3.5.1 and was proved wrong though: there’s one > > test failure in ‘tests/asn1object’ and the Internet doesn’t seem to know > > how to address the problem. So it would need a bit more work. > > > > I’d lean towards keeping it and doing that extra work, collectively, but > > I understand this very discussion shows that it’s debatable. > > at some point in time, my understanding was that we would switch everything > to libressl and drop openssl. I have not followed, but from > https://lwn.net/Articles/841664/ > it looks as if the problems with openssl are more or less solved, at least > they are not worse than in libressl. > > So an option would be to try to switch the existing dependencies to openssl > and decide from there. > > What do you think? I thought I had updated it last month but it turns out I never actually did. My daughter and I looked at fixing acme-client before the staging merge before we saw it was abandoned, I guess that's when I thought I updated libressl. I'd be more interested in trying to use openssl-3 than trying to pull along libressl. -- Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351 Confidentiality cannot be guaranteed on emails sent or received unencrypted [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-06-20 10:46 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2022-03-29 16:39 LibreSSL? Leo Famulari 2022-04-01 8:41 ` LibreSSL? Ludovic Courtès 2022-06-19 22:17 ` LibreSSL? Andreas Enge 2022-06-20 10:44 ` LibreSSL? Efraim Flashner
Code repositories for project(s) associated with this public inbox https://git.savannah.gnu.org/cgit/guix.git This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).