[arch-dev-public] OpenSSL 1.1.0
Hi, I'd like to propose a migration to OpenSSL 1.1. The update comes with ABI and API changes. Every linked packages needs to be rebuild. There will likely be broken packages. Once the protobuf* rebuild has left the [staging] repo I would like to upload a first set of OpenSSL 1.1 packages. I have created a todo list of packages that either have a direct dependency on openssl or link to libssl.so.1.0.0 or libcrypto.so.1.0.0: https://www.archlinux.org/todo/openssl-110-rebuild/ Further reading: * https://wiki.openssl.org/index.php/1.1_API_Changes * https://wiki.debian.org/OpenSSL-1.1 * https://lists.debian.org/debian-devel-announce/2016/11/msg1.html * http://pkgs.fedoraproject.org/cgit/rpms/ *) https://www.archlinux.org/todo/protobuf-320/ Greetings, Pierre -- Pierre Schmitz, https://pierre-schmitz.com
Re: [arch-dev-public] OpenSSL 1.1.0
Em janeiro 29, 2017 18:49 Pierre Schmitz escreveu: Hi, I'd like to propose a migration to OpenSSL 1.1. The update comes with ABI and API changes. I don't know if it ever was discussed, but did we ever considered LibreSSL instead? There are some distros out there using it already using, I think the most recent convert was Alpine. I know it would be a bigger step than simply adopting OpenSSL 1.1, but I also think it would be a better move, since we need to rebuild everything anyway. There will be breakage in both cases, but I think there is more to gain by switching to LibreSSL. Cheers, Giancarlo Razzolini pgpzRCNgQtKW3.pgp Description: PGP signature
Re: [arch-dev-public] OpenSSL 1.1.0
On Sun, 29 Jan 2017 21:43:18 + Giancarlo Razzolini wrote: > Em janeiro 29, 2017 18:49 Pierre Schmitz escreveu: > > Hi, > > > > I'd like to propose a migration to OpenSSL 1.1. The update comes with > > ABI and API changes. > > I don't know if it ever was discussed, but did we ever considered LibreSSL > instead? There are some distros out there using it already using, I think > the most recent convert was Alpine. > > I know it would be a bigger step than simply adopting OpenSSL 1.1, but I > also think it would be a better move, since we need to rebuild everything > anyway. There will be breakage in both cases, but I think there is more to > gain by switching to LibreSSL. > > Cheers, > Giancarlo Razzolini I haven't heard all that much from/about LibreSSL since shortly after the fork. Care to share what advantages it would bring, and at what cost? pgpiFRCYQlxRM.pgp Description: OpenPGP digital signature
Re: [arch-dev-public] OpenSSL 1.1.0
Em janeiro 29, 2017 20:04 Doug Newgard escreveu: I haven't heard all that much from/about LibreSSL since shortly after the fork. Care to share what advantages it would bring, and at what cost? The cost for rebuilding everything against OpenSSL 1.1 will probably be a big one. For LibreSSL, it would be even bigger. I think the main advantage, right away, is that LibreSSL has a considerably better security track, specially after their huge flensing. I can only dream about the bugs that might lurk on both OpenSSL 1.1 and LibreSSL. But the defensive approach OpenBSD takes on LibreSSL already has paid off in terms of CVE's that didn't affected it, but were high/critical issues on OpenSSL. It would be a considerable effort, but since there will be some for 1.1, I thought this to be the perfect opportunity for pushing an effort for LibreSSL instead. I'm as of know searching Void and Alpine bug trackers for learning the issues they faced (we should/could learn from theirs). We would probably need to bootstrap the core tools like makepkg, pacman, curl, etc with static OpenSSL support for a while, to make sure users can smoothly upgrade. Otherwise, I expect LibreSSL to be as much compatible with the userland software as OpenSSL is. Cheers, Giancarlo Razzolini pgpPoxfk01ojy.pgp Description: PGP signature
[arch-dev-public] Integrity Check i686: core, extra, community 30-01-2017
= Integrity Check i686 of core,extra,community = Performing integrity checks... ==> parsing pkgbuilds ==> parsing db files ==> checking mismatches ==> checking archs ==> checking dependencies ==> checking makedepends ==> checking hierarchy ==> checking for circular dependencies ==> checking for differences between db files and pkgbuilds Mismatched Pkgnames - python-polib vs. /srv/abs/rsync/any/community/python2-polib Duplicate PKGBUILDs - /srv/abs/rsync/any/community/python-munkres vs. /srv/abs/rsync/any/community/python2-munkres /srv/abs/rsync/any/community/python-musicbrainzngs vs. /srv/abs/rsync/any/community/python2-musicbrainzngs /srv/abs/rsync/any/community/python-polib vs. /srv/abs/rsync/any/community/python2-polib /srv/abs/rsync/i686/community/python-jellyfish vs. /srv/abs/rsync/i686/community/python2-jellyfish /srv/abs/rsync/i686/extra/ruby vs. /srv/abs/rsync/i686/core/ruby /srv/abs/rsync/i686/extra/ruby vs. /srv/abs/rsync/i686/core/ruby Invalid Archs --- extra/perl-autovivification --> armv7h Missing Dependencies -- community/guayadeque --> 'wxgtk2.8' community/luxblend25 --> 'luxrays' community/luxblend25 --> 'luxrender' community/unifi --> 'mongodb' Missing Makedepends - community/mg --> 'libclens' community/nltk-data --> 'python-nltk=3.2.1' community/plex-home-theater --> 'ffmpeg-compat' community/python-bleach --> 'python-html5lib-7-9s' community/python-bleach --> 'python2-html5lib-7-9s' community/python2-bleach --> 'python-html5lib-7-9s' community/python2-bleach --> 'python2-html5lib-7-9s' community/python2-pyswip --> 'setuptools' Repo Hierarchy for Dependencies - core/make depends on extra/guile (643 extra (make)deps to pull) core/openldap depends on extra/unixodbc (643 extra (make)deps to pull) core/qgpgme depends on extra/qt5-base (643 extra (make)deps to pull) core/ruby depends on extra/libyaml (0 extra (make)deps to pull) core/sqlite-analyzer depends on extra/tcl (643 extra (make)deps to pull) extra/accerciser depends on community/ipython (82 extra (make)deps to pull) extra/archboot depends on community/arch-wiki-lite (76 extra (make)deps to pull) extra/archboot depends on community/arch-wiki-lite (76 extra (make)deps to pull) extra/archboot depends on community/chntpw (74 extra (make)deps to pull) extra/archboot depends on community/cpupower (75 extra (make)deps to pull) extra/archboot depends on community/squashfs-tools (74 extra (make)deps to pull) extra/archboot depends on community/usb_modeswitch (74 extra (make)deps to pull) extra/archboot depends on community/wvdial (77 extra (make)deps to pull) extra/archboot depends on community/xl2tpd (74 extra (make)deps to pull) extra/archiso depends on community/squashfs-tools (74 extra (make)deps to pull) extra/archivetools depends on community/hardlink (74 extra (make)deps to pull) extra/brasero depends on community/cdrtools (74 extra (make)deps to pull) extra/brltty depends on community/espeak (74 extra (make)deps to pull) extra/dvd+rw-tools depends on community/cdrtools (74 extra (make)deps to pull) extra/easytag depends on community/opusfile (74 extra (make)deps to pull) extra/efl depends on community/luajit (74 extra (make)deps to pull) extra/emovix depends on community/cdrtools (74 extra (make)deps to pull) extra/evolution depends on community/gtkspell3 (74 extra (make)deps to pull) extra/fontforge depends on community/zeromq (74 extra (make)deps to pull) extra/gitg depends on community/gtkspell3 (74 extra (make)deps to pull) extra/gnome-builder depends on community/autoconf-archive (74 extra (make)deps to pull) extra/gnome-builder depends on community/python-jedi (74 extra (make)deps to pull) extra/gnome-builder depends on community/sysprof (74 extra (make)deps to pull) extra/gnome-common depends on community/autoconf-archive (74 extra (make)deps to pull) extra/gnome-photos depends on community/libgexiv2 (74 extra (make)deps to pull) extra/gnote depends on community/gtkspell3 (74 extra (make)deps to pull) extra/gnucash depends on community/aqbanking (77 extra (make)deps to pull) extra/gnucash depends on community/libdbi-drivers (76 extra (make)deps to pull) extra/gvfs-nfs depends on community/libnfs (74 extra (make)deps to pull) extra/ibus-typing-booster depends on community/python-pyenchant (74 extra (make)deps to pull) extra/k3b depends on community/cdrtools (74 extra (make)deps to pull) extra/kapidox depends on community/python-jinja (74 extra (make)deps to pull) extra/kapidox depends on community/python-yaml (74 extra (make)deps to pull) extra/kde-development-environment-meta depends on community/ninja (75 extra (make)deps to pull) extra/krita depends on community/opencolorio (74 extra (make)deps to pull) extra/libgda depends on community/goocanvas (74 extra (make)deps to pull) extra/libnm depe
Re: [arch-dev-public] OpenSSL 1.1.0
On 30/01/17 08:30, Giancarlo Razzolini wrote: > Em janeiro 29, 2017 20:04 Doug Newgard escreveu: >> >> I haven't heard all that much from/about LibreSSL since shortly after >> the fork. >> Care to share what advantages it would bring, and at what cost? >> > > The cost for rebuilding everything against OpenSSL 1.1 will probably be > a big one. > For LibreSSL, it would be even bigger. I think the main advantage, right > away, is > that LibreSSL has a considerably better security track, specially after > their huge > flensing. > > I can only dream about the bugs that might lurk on both OpenSSL 1.1 and > LibreSSL. > But the defensive approach OpenBSD takes on LibreSSL already has paid > off in terms > of CVE's that didn't affected it, but were high/critical issues on OpenSSL. > Please cite one example. Every CVE I have seen that is of at least high severity has affected both. There have been some low severity ones only affecting openssl. Even worse, the fix time for libressl in the couple of issues I monitored was worse than openssl. A
