Hi,
On 05/12/2013 08:46 AM, Jeff Mendoza wrote:
Hi,
I have worked a bit on:
Request: OpenSSL with Elliptic Curve, IDEA, MDC-2, RC5 crypto algorithms
Summary: The OpenSSL toolkit provides support for secure communications
between machines.
URL: http://www.openssl.org/
Why not in Fedora: Because of the problem with software patents:
https://bugzilla.redhat.com/show_bug.cgi?id=319901
Notes: OpenSSL is included in Fedora but with Elliptic Curve, IDEA, MDC-2,
RC5 crypto algorithms disabled.
from the http://rpmfusion.org/Wishlist.
I have a building and working rpm, but I don't know what the name/version
should be. Is there a standard for packages that replace one in Fedora? I
thought of calling it openssl-ec, and having it conflict with openssl, but you
can't use yum to replace it without removing openssl and all it's dependent
packages. Using 'rpm -e --nodeps' and then installing the replacement works
fine.
Hmm, I didn't know we had this on our wish list, I must say that given the
security implications,
I'm not really enthusiastic about having a replacement for openssl in rpmfusion.
We do sometimes use conflicts for -freeworld versions of applications which are
built with extra
features.
But for libraries we should never use Conflicts, as they may change soname and
then things will break
hard. The usual approach is instead to install the rpmfusion version of the lib
into a subdir
of %{_libdir} and then drop in a .conf file into /etc/ld.so.conf.d/ adding that
dir to the search path
(such a dir will then be searched before %{_libdir}.
Given the special nature of openssl and its tendency to change soname every
other release, the only
acceptable solution to me would be to:
1) Not Conflict
2) Put the openssl so file in a subdir of %{_libdir}
3) Provide an example file for /etc/ld.so.conf.d/ as %doc
4) Add a README.rpmfusion explaining that the example file needs to be copied
by the admin to
/etc/ld.so.conf.d/ and containing a big fat warning that rpmfusion cannot
guarantee timely
security updates to its openssl package, and that the admin may need to disable
it, falling back
to the rpmfusion version, when a security update to openssl is needed.
Note that this means that a simple "yum install openssl-freeworld" will do
nothing but eat some
disk-space. This is by design, so that people doing "yum install openssl*" or
"yum install *-freeworld" don't accidentally start depending on our openssl.
The move to rpmfusion
ssl REALLY needs to be a conscious decision, not a side effect of a badly
constructed yum command.
Regards,
Hans
