| View previous topic :: View next topic |
| Author |
Message |
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
 Posted: Sat May 26, 2018 5:54 pm Post subject: wvstreams and openssl-1.1. Plans for slotting? |
 |
|
Meanwhile the lack of openssl-1.1 is becoming security critical: All current versions of nodejs depend on it.
On the other hand, there are quite some packages which are unable to compile with openssl-1.1.0, most notably wvstreams (and thus probably wvdial; I am not sure how much of the functionality of wvdial would still work with wvstreams[-openssl]). It would be serious if wvdial would have to go in order to use current (hence secure) nodejs.
I looked through the source code of wvstreams, and while I was happy for about 1-2 hours fixing one “standard” incompatbility after another due to the now opaque structures, I eventually came to several files which make heavy use of functions which simply do not exist anymore in the openssl-1.1.0 API and also do not seem to have any replacement (in fact, details of the structures are used in wvstreams which are not available anymore through functions; serious parts of code are copied from openssl directly). It seems a rather complete restructuring of wvstreams is necessary to make it work with openssl-1.1.0 which will never happen by upstream, I am afraid.
Other distributions (most notably arch, but if I understood correctly also debian and derivatives) solve this problem by keeping libcrypto.so.1.0.0 around for such packages. (I have no idea how they will compile these packages in the future; maybe in a chroot). It seems to me that the gentoo way to solve this issue should be to slot openssl-1.1.
Such a slotting would finally allow to remove the masks for openssl-1.1 and nodejs-10 and maybe some other masks as well, and it would not hinder to add patches for the (already quite large number of) packages not supporting openssl-1.1 yet.
Are there any such slotting plans? |
|
| Back to top |
|
 |
asturm
Developer
Joined: 05 Apr 2007
Posts: 8936
|
| Posted: Sat May 26, 2018 6:46 pm Post subject: |
|
|
I'm not aware of slotting plans or even how feasible that is. What's worse, openssh upstream seems to reject an existing patch to support 1.1 in order to enforce a switch to libressl.
1.1 compat is one of the reasons for our accelerated Qt4 cleanup as well... |
|
| Back to top |
|
|
bobbymcgee
n00b
Joined: 12 Apr 2018
Posts: 55
|
| Posted: Sun May 27, 2018 6:57 am Post subject: |
|
|
| don't forget OpenSSL_1_0_2-stable is LTS, so "security critical" is a bit of a misnomer. |
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
| Posted: Sun May 27, 2018 8:48 am Post subject: |
|
|
| bobbymcgee wrote: | | don't forget OpenSSL_1_0_2-stable is LTS, so "security critical" is a bit of a misnomer. |
This term was not referring to openssl but to applications of (only) openssl-1.1.
Keeping openssl:1 in a slot for some applications not converted (or never being converted) would not be security critical (for quite a while due to LTS).
But not being able to update security-relevant applications like nodejs due to not being able to install openssl:1.1 (due to lack of slotting of openssl) is (rather soon becoming) security critical. |
|
| Back to top |
|
|
bobbymcgee
n00b
Joined: 12 Apr 2018
Posts: 55
|
| Posted: Sun May 27, 2018 5:57 pm Post subject: |
|
|
I am not arguing with slotting, but unless you have a better example than nodejs, my opinion stands.
| Quote: | | 1: The 8.x Maintenance LTS cycle is currently scheduled to expire early on December 31, 2019 to align with the scheduled End-of-Life of OpenSSL-1.0.2. |
|
|
| Back to top |
|
|
mv
Watchman
Joined: 20 Apr 2005
Posts: 6747
|
| Posted: Sun May 27, 2018 6:55 pm Post subject: |
|
|
| bobbymcgee wrote: | | December 31, 2019 |
So almost half of the time has passed already (maybe less if e.g. chromium eventually should depend on a newer version of nodejs).
No solution in sight yet.
That's no reason to panic, but perhaps a reason to seriously think about slotting. |
|
| Back to top |
|
|
|
Networking & Security
