unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
* LibreSSL?
@ 2022-03-29 16:39 Leo Famulari
  2022-04-01  8:41 ` LibreSSL? Ludovic Courtès
  0 siblings, 1 reply; 4+ messages in thread
From: Leo Famulari @ 2022-03-29 16:39 UTC (permalink / raw)
  To: guix-devel

I noticed that some Guix packages depend on LibreSSL, but it seems that
we are not successfully keeping this package up to date with upstream
security releases:

https://www.libressl.org/releases.html

Will anyone step up to maintain this package? Or should we remove it
from Guix?


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: LibreSSL?
  2022-03-29 16:39 LibreSSL? Leo Famulari
@ 2022-04-01  8:41 ` Ludovic Courtès
  2022-06-19 22:17   ` LibreSSL? Andreas Enge
  0 siblings, 1 reply; 4+ messages in thread
From: Ludovic Courtès @ 2022-04-01  8:41 UTC (permalink / raw)
  To: Leo Famulari; +Cc: guix-devel

Hi,

Leo Famulari <leo@famulari.name> skribis:

> I noticed that some Guix packages depend on LibreSSL, but it seems that
> we are not successfully keeping this package up to date with upstream
> security releases:
>
> https://www.libressl.org/releases.html
>
> Will anyone step up to maintain this package? Or should we remove it
> from Guix?

At first sight, it looks like an easy-to-maintain package: no
dependencies, few users, stable API.

I tried to update it to 3.5.1 and was proved wrong though: there’s one
test failure in ‘tests/asn1object’ and the Internet doesn’t seem to know
how to address the problem.  So it would need a bit more work.

I’d lean towards keeping it and doing that extra work, collectively, but
I understand this very discussion shows that it’s debatable.

Ludo’.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: LibreSSL?
  2022-04-01  8:41 ` LibreSSL? Ludovic Courtès
@ 2022-06-19 22:17   ` Andreas Enge
  2022-06-20 10:44     ` LibreSSL? Efraim Flashner
  0 siblings, 1 reply; 4+ messages in thread
From: Andreas Enge @ 2022-06-19 22:17 UTC (permalink / raw)
  To: Ludovic Courtès; +Cc: Leo Famulari, guix-devel

Hello,

Am Fri, Apr 01, 2022 at 10:41:11AM +0200 schrieb Ludovic Courtès:
> At first sight, it looks like an easy-to-maintain package: no
> dependencies, few users, stable API.
> 
> I tried to update it to 3.5.1 and was proved wrong though: there’s one
> test failure in ‘tests/asn1object’ and the Internet doesn’t seem to know
> how to address the problem.  So it would need a bit more work.
> 
> I’d lean towards keeping it and doing that extra work, collectively, but
> I understand this very discussion shows that it’s debatable.

at some point in time, my understanding was that we would switch everything
to libressl and drop openssl. I have not followed, but from
   https://lwn.net/Articles/841664/
it looks as if the problems with openssl are more or less solved, at least
they are not worse than in libressl.

So an option would be to try to switch the existing dependencies to openssl
and decide from there.

What do you think?

Andreas



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: LibreSSL?
  2022-06-19 22:17   ` LibreSSL? Andreas Enge
@ 2022-06-20 10:44     ` Efraim Flashner
  0 siblings, 0 replies; 4+ messages in thread
From: Efraim Flashner @ 2022-06-20 10:44 UTC (permalink / raw)
  To: Andreas Enge; +Cc: Ludovic Courtès, Leo Famulari, guix-devel

[-- Attachment #1: Type: text/plain, Size: 1621 bytes --]

On Mon, Jun 20, 2022 at 12:17:38AM +0200, Andreas Enge wrote:
> Hello,
> 
> Am Fri, Apr 01, 2022 at 10:41:11AM +0200 schrieb Ludovic Courtès:
> > At first sight, it looks like an easy-to-maintain package: no
> > dependencies, few users, stable API.
> > 
> > I tried to update it to 3.5.1 and was proved wrong though: there’s one
> > test failure in ‘tests/asn1object’ and the Internet doesn’t seem to know
> > how to address the problem.  So it would need a bit more work.
> > 
> > I’d lean towards keeping it and doing that extra work, collectively, but
> > I understand this very discussion shows that it’s debatable.
> 
> at some point in time, my understanding was that we would switch everything
> to libressl and drop openssl. I have not followed, but from
>    https://lwn.net/Articles/841664/
> it looks as if the problems with openssl are more or less solved, at least
> they are not worse than in libressl.
> 
> So an option would be to try to switch the existing dependencies to openssl
> and decide from there.
> 
> What do you think?

I thought I had updated it last month but it turns out I never actually
did. My daughter and I looked at fixing acme-client before the staging
merge before we saw it was abandoned, I guess that's when I thought I
updated libressl. I'd be more interested in trying to use openssl-3 than
trying to pull along libressl.

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2022-06-20 10:46 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-29 16:39 LibreSSL? Leo Famulari
2022-04-01  8:41 ` LibreSSL? Ludovic Courtès
2022-06-19 22:17   ` LibreSSL? Andreas Enge
2022-06-20 10:44     ` LibreSSL? Efraim Flashner

Code repositories for project(s) associated with this inbox:

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).