Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-project

From: Sam James <sam@g.o>
To: gentoo-dev@l.g.o
Cc: gentoo-project@l.g.o, licenses@g.o, base-system@g.o
Subject: [gentoo-project] Re: [gentoo-dev] RFC: dev-libs/openssl USE=bindist removal
Date: Thu, 30 Sep 2021 01:08:32
Message-Id: E74FC292-1FBA-477E-A495-CB8564BC9580@gentoo.org
In Reply to: [gentoo-project] RFC: dev-libs/openssl USE=bindist removal by "Robin H. Johnson"
1 > On 27 Sep 2021, at 23:50, Robin H. Johnson <robbat2@g.o> wrote:
2 >
3 > Deadline for responses: 2021/10/14!
4 >
5 > The Foundation would like to propose that RedHat/Fedora "hobble" patch
6 > presently applied when USE=bindist is true shall be removed from
7 > dev-libs/openssl.
8 >
9 > RedHat's stated reasons for the patch were originally to avoid any patent
10 > concerns, but they have also morphed over time to present some "insecure"
11 > things from being used entirely:
12 > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
13 > "All ECC curves < 224 bits (since RHEL 6)"
14 > "All binary field ECC curves (since RHEL 6)"
15 >
16 > However, the Foundation would also like to be sure that no users feel that
17 > patchset provides something critical to their usage of Gentoo.
18 >
19 > If nobody speaks up as saying that the "hobble" patch is REQUIRED for their use
20 > cases, the Foundation proposes that usage of the patchset be dropped from the
21 > main tree.
22 >
23 > Any users who might be concerned about patent compliance are encouraged to do
24 > their own due diligence, as OpenSSL was the only Gentoo package that shipped
25 > this type of patch, and even Fedora's upstream did not completely patch out EC
26 > in other packages.
27 >
28 > [snip]
29
30 Thanks for this. You've ended up addressing the comments & concerns I raised the other day
31 on the (slightly derailed) other thread [0]. There's a PR on this on GitHub too [1] to handle the
32 removal.
33
34 As I suspect was already clear, I support this move in the absence of new information
35 (which I suspect will not be forthcoming).
36
37 [0] https://archives.gentoo.org/gentoo-dev/message/99551035af66db79f60c6bd8ef7138a8
38 [1] https://github.com/gentoo/gentoo/pull/18894
39
40 best,
41 sam

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups