Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
wvstreams and openssl-1.1. Plans for slotting?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6181

PostPosted: Sat May 26, 2018 5:54 pm    Post subject: wvstreams and openssl-1.1. Plans for slotting? Reply with quote

Meanwhile the lack of openssl-1.1 is becoming security critical: All current versions of nodejs depend on it.

On the other hand, there are quite some packages which are unable to compile with openssl-1.1.0, most notably wvstreams (and thus probably wvdial; I am not sure how much of the functionality of wvdial would still work with wvstreams[-openssl]). It would be serious if wvdial would have to go in order to use current (hence secure) nodejs.

I looked through the source code of wvstreams, and while I was happy for about 1-2 hours fixing one “standard” incompatbility after another due to the now opaque structures, I eventually came to several files which make heavy use of functions which simply do not exist anymore in the openssl-1.1.0 API and also do not seem to have any replacement (in fact, details of the structures are used in wvstreams which are not available anymore through functions; serious parts of code are copied from openssl directly). It seems a rather complete restructuring of wvstreams is necessary to make it work with openssl-1.1.0 which will never happen by upstream, I am afraid.

Other distributions (most notably arch, but if I understood correctly also debian and derivatives) solve this problem by keeping libcrypto.so.1.0.0 around for such packages. (I have no idea how they will compile these packages in the future; maybe in a chroot). It seems to me that the gentoo way to solve this issue should be to slot openssl-1.1.

Such a slotting would finally allow to remove the masks for openssl-1.1 and nodejs-10 and maybe some other masks as well, and it would not hinder to add patches for the (already quite large number of) packages not supporting openssl-1.1 yet.

Are there any such slotting plans?
Back to top
View user's profile Send private message
asturm
Developer
Developer


Joined: 05 Apr 2007
Posts: 6443
Location: Austria

PostPosted: Sat May 26, 2018 6:46 pm    Post subject: Reply with quote

I'm not aware of slotting plans or even how feasible that is. What's worse, openssh upstream seems to reject an existing patch to support 1.1 in order to enforce a switch to libressl.

1.1 compat is one of the reasons for our accelerated Qt4 cleanup as well...
_________________
backend.cpp:92:2: warning: #warning TODO - this error message is about as useful as a cooling unit in the arctic
Back to top
View user's profile Send private message
bobbymcgee
n00b
n00b


Joined: 12 Apr 2018
Posts: 55

PostPosted: Sun May 27, 2018 6:57 am    Post subject: Reply with quote

don't forget OpenSSL_1_0_2-stable is LTS, so "security critical" is a bit of a misnomer.
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6181

PostPosted: Sun May 27, 2018 8:48 am    Post subject: Reply with quote

bobbymcgee wrote:
don't forget OpenSSL_1_0_2-stable is LTS, so "security critical" is a bit of a misnomer.

This term was not referring to openssl but to applications of (only) openssl-1.1.

Keeping openssl:1 in a slot for some applications not converted (or never being converted) would not be security critical (for quite a while due to LTS).
But not being able to update security-relevant applications like nodejs due to not being able to install openssl:1.1 (due to lack of slotting of openssl) is (rather soon becoming) security critical.
Back to top
View user's profile Send private message
bobbymcgee
n00b
n00b


Joined: 12 Apr 2018
Posts: 55

PostPosted: Sun May 27, 2018 5:57 pm    Post subject: Reply with quote

I am not arguing with slotting, but unless you have a better example than nodejs, my opinion stands.
Quote:
1: The 8.x Maintenance LTS cycle is currently scheduled to expire early on December 31, 2019 to align with the scheduled End-of-Life of OpenSSL-1.0.2.
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6181

PostPosted: Sun May 27, 2018 6:55 pm    Post subject: Reply with quote

bobbymcgee wrote:
December 31, 2019

So almost half of the time has passed already (maybe less if e.g. chromium eventually should depend on a newer version of nodejs).
No solution in sight yet.
That's no reason to panic, but perhaps a reason to seriously think about slotting.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum