On Tue, Sep 10, 2024, 12:39 PM Daniel P. Berrangé <[email protected]> wrote:
> On Tue, Sep 10, 2024 at 12:26:02PM +0200, Neal Gompa wrote: > > On Tue, Sep 10, 2024 at 12:20 PM Daniel P. Berrangé <[email protected]> > wrote: > > > > > > On Tue, Sep 10, 2024 at 12:14:58PM +0200, Neal Gompa wrote: > > > > On Fri, Sep 1, 2023 at 6:11 AM Neal Gompa <[email protected]> > wrote: > > > > > > > > > > I'm bumping this thread again to ask if we can make everyone's > lives > > > > > easier by dropping all the hobbling we do today to OpenSSL, nettle, > > > > > etc.. We *definitely* don't need it now at this point, so it's just > > > > > needless work that creates a lot of second-order pain for people > (such > > > > > as library bindings for other programming languages). > > > > > > > > The annual bump on this thread to once again ask if we can make > > > > progress on this issue. It's a pain and I really don't think we have > > > > any reason to keep doing it anymore. > > > > > > It appears the maintainers of openssl & nettle have *already* removed > > > hobbling from Fedora > > > > > > In netle dist-git: > > > > > > commit 478b2083882071d9102297b4f0c022f65d567b1e > > > Author: Daiki Ueno <[email protected]> > > > Date: Thu Aug 22 14:25:26 2024 +0900 > > > > > > Switch from hobbling to patching to disable algorithms > > > > > > Previously, certain algorithms, such as smaller ECC curves, were > > > "hobbled" using the hobble-nettle script. It is now allowed to > include > > > the algorithm implementation in the source package, though we still > > > want to disable them at build time. > > > > > > This patch switches to using a patch-based approach to disable > > > them. That way, the packaging process is simplified as well as the > > > integrity of upstream release can be checked using %gpgverify. > > > > > > Signed-off-by: Daiki Ueno <[email protected]> > > > > > > > > > And in openssl dist-git: > > > > > > commit 477bb5e652b21c76dccaf690d2327af8f86bd16f > > > Author: Sahana Prasad <[email protected]> > > > Date: Tue Mar 14 17:07:58 2023 +0100 > > > > > > - Upload new upstream sources without manually hobbling them. > > > - Remove the hobbling script as it is redundant. It is now > allowed to ship > > > the sources of patented EC curves, however it is still made > unavailable to use > > > by compiling with the 'no-ec2m' Configure option. The > additional forbidden > > > curves such as P-160, P-192, wap-tls curves are manually > removed by updating > > > 0011-Remove-EC-curves.patch. > > > - Apply the changes to ec_curve.c and ectest.c as a new patch > > > 0010-Add-changes-to-ectest-and-eccurve.patch instead of > replacing them. > > > - Modify 0011-Remove-EC-curves.patch to allow Brainpool curves. > > > - Modify 0011-Remove-EC-curves.patch to allow code under macro > OPENSSL_NO_EC2M. > > > ┊ Resolves: rhbz#2130618, rhbz#2141672 > > > > > > Signed-off-by: Sahana Prasad <[email protected]> > > > > Right, but that's still hobbling by other means. I'm asking for us to > > consider not doing even *that* anymore. > > Ah ok, so you want Fedora to build & ship all algorithms that are > implemented by upstream, with no downstream filtering. ie no hobbling > source tarballs, no applying source patches, no disabling via configure > time build args ? > Yes, because all of it massively complicates stuff that builds on them, particularly binding modules to connect them to other language ecosystems. >
-- _______________________________________________ legal mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
