View previous topic :: View next topic |
Author |
Message |
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sat May 26, 2018 5:54 pm Post subject: wvstreams and openssl-1.1. Plans for slotting? |
|
|
Meanwhile the lack of openssl-1.1 is becoming security critical: All current versions of nodejs depend on it.
On the other hand, there are quite some packages which are unable to compile with openssl-1.1.0, most notably wvstreams (and thus probably wvdial; I am not sure how much of the functionality of wvdial would still work with wvstreams[-openssl]). It would be serious if wvdial would have to go in order to use current (hence secure) nodejs.
I looked through the source code of wvstreams, and while I was happy for about 1-2 hours fixing one “standard” incompatbility after another due to the now opaque structures, I eventually came to several files which make heavy use of functions which simply do not exist anymore in the openssl-1.1.0 API and also do not seem to have any replacement (in fact, details of the structures are used in wvstreams which are not available anymore through functions; serious parts of code are copied from openssl directly). It seems a rather complete restructuring of wvstreams is necessary to make it work with openssl-1.1.0 which will never happen by upstream, I am afraid.
Other distributions (most notably arch, but if I understood correctly also debian and derivatives) solve this problem by keeping libcrypto.so.1.0.0 around for such packages. (I have no idea how they will compile these packages in the future; maybe in a chroot). It seems to me that the gentoo way to solve this issue should be to slot openssl-1.1.
Such a slotting would finally allow to remove the masks for openssl-1.1 and nodejs-10 and maybe some other masks as well, and it would not hinder to add patches for the (already quite large number of) packages not supporting openssl-1.1 yet.
Are there any such slotting plans? |
|
Back to top |
|
|
asturm Developer
Joined: 05 Apr 2007 Posts: 8936
|
Posted: Sat May 26, 2018 6:46 pm Post subject: |
|
|
I'm not aware of slotting plans or even how feasible that is. What's worse, openssh upstream seems to reject an existing patch to support 1.1 in order to enforce a switch to libressl.
1.1 compat is one of the reasons for our accelerated Qt4 cleanup as well... |
|
Back to top |
|
|
bobbymcgee n00b
Joined: 12 Apr 2018 Posts: 55
|
Posted: Sun May 27, 2018 6:57 am Post subject: |
|
|
don't forget OpenSSL_1_0_2-stable is LTS, so "security critical" is a bit of a misnomer. |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sun May 27, 2018 8:48 am Post subject: |
|
|
bobbymcgee wrote: | don't forget OpenSSL_1_0_2-stable is LTS, so "security critical" is a bit of a misnomer. |
This term was not referring to openssl but to applications of (only) openssl-1.1.
Keeping openssl:1 in a slot for some applications not converted (or never being converted) would not be security critical (for quite a while due to LTS).
But not being able to update security-relevant applications like nodejs due to not being able to install openssl:1.1 (due to lack of slotting of openssl) is (rather soon becoming) security critical. |
|
Back to top |
|
|
bobbymcgee n00b
Joined: 12 Apr 2018 Posts: 55
|
Posted: Sun May 27, 2018 5:57 pm Post subject: |
|
|
I am not arguing with slotting, but unless you have a better example than nodejs, my opinion stands.
Quote: | 1: The 8.x Maintenance LTS cycle is currently scheduled to expire early on December 31, 2019 to align with the scheduled End-of-Life of OpenSSL-1.0.2. |
|
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Sun May 27, 2018 6:55 pm Post subject: |
|
|
bobbymcgee wrote: | December 31, 2019 |
So almost half of the time has passed already (maybe less if e.g. chromium eventually should depend on a newer version of nodejs).
No solution in sight yet.
That's no reason to panic, but perhaps a reason to seriously think about slotting. |
|
Back to top |
|
|
|