1 |
> On 27 Sep 2021, at 23:50, Robin H. Johnson <robbat2@g.o> wrote: |
2 |
> |
3 |
> Deadline for responses: 2021/10/14! |
4 |
> |
5 |
> The Foundation would like to propose that RedHat/Fedora "hobble" patch |
6 |
> presently applied when USE=bindist is true shall be removed from |
7 |
> dev-libs/openssl. |
8 |
> |
9 |
> RedHat's stated reasons for the patch were originally to avoid any patent |
10 |
> concerns, but they have also morphed over time to present some "insecure" |
11 |
> things from being used entirely: |
12 |
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening |
13 |
> "All ECC curves < 224 bits (since RHEL 6)" |
14 |
> "All binary field ECC curves (since RHEL 6)" |
15 |
> |
16 |
> However, the Foundation would also like to be sure that no users feel that |
17 |
> patchset provides something critical to their usage of Gentoo. |
18 |
> |
19 |
> If nobody speaks up as saying that the "hobble" patch is REQUIRED for their use |
20 |
> cases, the Foundation proposes that usage of the patchset be dropped from the |
21 |
> main tree. |
22 |
> |
23 |
> Any users who might be concerned about patent compliance are encouraged to do |
24 |
> their own due diligence, as OpenSSL was the only Gentoo package that shipped |
25 |
> this type of patch, and even Fedora's upstream did not completely patch out EC |
26 |
> in other packages. |
27 |
> |
28 |
> [snip] |
29 |
|
30 |
Thanks for this. You've ended up addressing the comments & concerns I raised the other day |
31 |
on the (slightly derailed) other thread [0]. There's a PR on this on GitHub too [1] to handle the |
32 |
removal. |
33 |
|
34 |
As I suspect was already clear, I support this move in the absence of new information |
35 |
(which I suspect will not be forthcoming). |
36 |
|
37 |
[0] https://archives.gentoo.org/gentoo-dev/message/99551035af66db79f60c6bd8ef7138a8 |
38 |
[1] https://github.com/gentoo/gentoo/pull/18894 |
39 |
|
40 |
best, |
41 |
sam |