Re: [arch-dev-public] OpenSSL 1.1.0

2017-04-23 Thread Pierre Schmitz 

On 23.04.2017 03:30, Allan McRae wrote:

On 23/04/17 08:07, Gaetan Bisson wrote:

[2017-04-22 18:05:27 +0200] Sébastien Luttringer:

When do you plan to move openssl rebuild out of testing?


Quoting arojas on IRC:

2017-04-20 09:11:27 arojas: current blocker for openssl if FS#53618
2017-04-20 09:11:47 arojas: someone needs to decide whether we care 
about it or not, and if yes do something to fix it




Given there is a workaround, a news item should be posted and we should
stop blocking the entire distribution with this rebuild.

Allan


This is fine by me. I cannot reproduce the error with Steam. See my 
comment at https://bugs.archlinux.org/task/53618 Does anybody have more 
input on this? Even if games try to access the system library rather 
than the steam ones, this is more of game or steam bug.


Pierre

--
Pierre Schmitz, https://pierre-schmitz.com

Re: [arch-dev-public] OpenSSL 1.1.0

2017-04-22 Thread Allan McRae 
On 23/04/17 08:07, Gaetan Bisson wrote:
> [2017-04-22 18:05:27 +0200] Sébastien Luttringer:
>> When do you plan to move openssl rebuild out of testing?
> 
> Quoting arojas on IRC:
> 
> 2017-04-20 09:11:27 arojas: current blocker for openssl if FS#53618
> 2017-04-20 09:11:47 arojas: someone needs to decide whether we care about it 
> or not, and if yes do something to fix it
> 

Given there is a workaround, a news item should be posted and we should
stop blocking the entire distribution with this rebuild.

Allan

Re: [arch-dev-public] OpenSSL 1.1.0

2017-04-22 Thread Gaetan Bisson 
[2017-04-22 18:05:27 +0200] Sébastien Luttringer:
> When do you plan to move openssl rebuild out of testing?

Quoting arojas on IRC:

2017-04-20 09:11:27 arojas: current blocker for openssl if FS#53618
2017-04-20 09:11:47 arojas: someone needs to decide whether we care about it or 
not, and if yes do something to fix it

-- 
Gaetan


signature.asc
Description: PGP signature

Re: [arch-dev-public] OpenSSL 1.1.0

2017-04-22 Thread Sébastien Luttringer 
On Sat, 2017-02-11 at 09:32 +0100, Pierre Schmitz wrote:
> On 29.01.2017 21:49, Pierre Schmitz wrote:
> > Hi,
> > 
> > I'd like to propose a migration to OpenSSL 1.1. The update comes with
> > ABI and API changes. Every linked packages needs to be rebuild. There
> > will likely be broken packages. Once the protobuf* rebuild has left
> > the [staging] repo I would like to upload a first set of OpenSSL 1.1
> > packages.
> > 
> > I have created a todo list of packages that either have a direct
> > dependency on openssl or link to libssl.so.1.0.0 or
> > libcrypto.so.1.0.0:
> >   https://www.archlinux.org/todo/openssl-110-rebuild/
> 
> I will push the first set of packages to [staging]. Please avoid doing 
> other rebuilds until this one is done.
> 
> Greetings,
> 
> Pierre
> 
When do you plan to move openssl rebuild out of testing?

Cheers,


-- 
Sébastien "Seblu" Luttringer




signature.asc
Description: This is a digitally signed message part

Re: [arch-dev-public] OpenSSL 1.1.0

2017-03-25 Thread Bartłomiej Piotrowski 
On 2017-03-25 13:50, Jerome Leclanche wrote:
> On Sat, Mar 25, 2017 at 2:46 PM, Lukas Fleischer
>  wrote:
>> Hi,
>>
>> I just moved the OpenSSL 1.1.0 and libgit2 0.25 rebuilds to [testing].
>> Please report issues to the bug tracker.
>>
>> Regards,
>> Lukas
> 
> Heads up, uwsgi breaks with OpenSSL 1.1:
> https://github.com/unbit/uwsgi/issues/1395
> 
> This is fixed in uwsgi 2.0.15 which is not released yet (cf comments).
> J. Leclanche
> 

Unless I missed something, we backported the patch that make it work
with latest OpenSSL. Otherwise we wouldn't move the rebuild from staging…

Re: [arch-dev-public] OpenSSL 1.1.0

2017-03-25 Thread Jerome Leclanche 
On Sat, Mar 25, 2017 at 2:46 PM, Lukas Fleischer
 wrote:
> Hi,
>
> I just moved the OpenSSL 1.1.0 and libgit2 0.25 rebuilds to [testing].
> Please report issues to the bug tracker.
>
> Regards,
> Lukas

Heads up, uwsgi breaks with OpenSSL 1.1:
https://github.com/unbit/uwsgi/issues/1395

This is fixed in uwsgi 2.0.15 which is not released yet (cf comments).
J. Leclanche

Re: [arch-dev-public] OpenSSL 1.1.0

2017-03-25 Thread Lukas Fleischer 
Hi,

I just moved the OpenSSL 1.1.0 and libgit2 0.25 rebuilds to [testing].
Please report issues to the bug tracker.

Regards,
Lukas

Re: [arch-dev-public] OpenSSL 1.1.0

2017-03-02 Thread Jan de Groot 
On Thu, 2017-03-02 at 20:06 +0100, Lukas Fleischer wrote:
> On Thu, 02 Mar 2017 at 07:05:44, Lukas Fleischer wrote:
> > What is the plan for packages where upstream is dead or reluctant
> > to
> > migrate to OpenSSL 1.1.0 (see e.g. [1])? Are we going to ship a
> > legacy
> > openssl-compat (or libressl) package for a while?
> 
> It seems like there already is an openssl-1.0 package [1]. This makes
> everything much easier. Thanks.
> 
> [1] https://www.archlinux.org/packages/?q=openssl-1.0

To use this package you need to set PKG_CONFIG_PATH=/usr/lib/openssl-
1.0/pkgconfig. If your package doesn't use PKG_CONFIG_PATH to look for
openssl you'll have to manually add -I/usr/include/openssl-1.0 to
CFLAGS and -L/usr/lib/openssl-1.0 to LDFLAGS.

Also, make sure that your resulting package uses the correct library.
You don't want to link to two different versions of OpenSSL. An example
 where this happens is ptlib/opal, Opal will happily compile against
OpenSSL 1.1 while ptlib is compiled against 1.0 if no changes are made
to opal.

Re: [arch-dev-public] OpenSSL 1.1.0

2017-03-02 Thread Lukas Fleischer 
On Thu, 02 Mar 2017 at 07:05:44, Lukas Fleischer wrote:
> What is the plan for packages where upstream is dead or reluctant to
> migrate to OpenSSL 1.1.0 (see e.g. [1])? Are we going to ship a legacy
> openssl-compat (or libressl) package for a while?

It seems like there already is an openssl-1.0 package [1]. This makes
everything much easier. Thanks.

[1] https://www.archlinux.org/packages/?q=openssl-1.0

Re: [arch-dev-public] OpenSSL 1.1.0

2017-03-01 Thread Lukas Fleischer 
On Sun, 29 Jan 2017 at 21:49:51, Pierre Schmitz wrote:
> I'd like to propose a migration to OpenSSL 1.1. The update comes with 
> ABI and API changes. Every linked packages needs to be rebuild. There 
> will likely be broken packages. Once the protobuf* rebuild has left the 
> [staging] repo I would like to upload a first set of OpenSSL 1.1 
> packages.

What is the plan for packages where upstream is dead or reluctant to
migrate to OpenSSL 1.1.0 (see e.g. [1])? Are we going to ship a legacy
openssl-compat (or libressl) package for a while?

Regards,
Lukas

[1] https://github.com/OpenSMTPD/OpenSMTPD/issues/738

Re: [arch-dev-public] OpenSSL 1.1.0

2017-02-25 Thread Christian Hesse 
Christian Hesse  on Thu, 2017/02/23 22:29:
> I have a working version of openvpn, but it requires heavy patching. I will
> wait for version 2.4.1 which has a lot of preparation (and with some luck is
> ported completly). Will push an openssl rebuild then.
> If anybody is interested... Raise your hands and let me know, I can provide
> packages for testing.

I am not sure about the amount of spare time I will have in about two weeks.
So I decided to push the patches now...
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgp9V_TCetAuQ.pgp
Description: OpenPGP digital signature

Re: [arch-dev-public] OpenSSL 1.1.0

2017-02-24 Thread Christian Hesse 
Baptiste Jonglez  on Thu, 2017/02/23 23:36:
> > Mupdf is a burden to maintain due to build system, bundled libraries and
> > static linking. Looks like upstream is not yet interested in openssl
> > 1.1.0... As I do not use it currently this will move to [community] if no
> > one steps up.   
> 
> Can't you just drop the dependency on openssl?  What is it used for?
> As far as I can tell, Debian does not build mupdf against openssl:

Just did that and pushed to [community-testing].

With mupdf linked against openssl you have support for PKCS#7 which is used
for digital signatures in PDF documents.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgp8G6w55ZFS2.pgp
Description: OpenPGP digital signature

Re: [arch-dev-public] OpenSSL 1.1.0

2017-02-24 Thread Christian Hesse 
Christian Hesse  on Fri, 2017/02/24 13:37:
> Antonio Rojas  on Thu, 2017/02/23 21:42:
> > El Thu, 23 Feb 2017 22:29:17 +0100, Christian Hesse escribió:
> >   
> > > Mariadb is still unsolved. There is a ticket in upstream jira [0] but it
> > > does not carry anything useful. There's a reference for a review, but I
> > > could not find the patch in mail archive. Will try to contact the
> > > developers and express our interest...
> > 
> > In the meantime, is temporarily switching to internal yassl (as Debian 
> > does) an option? This is blocking all Qt rebuilds (which will also be a 
> > pain themselves), so it would be nice to have a build in staging
> > soonish.  
> 
> Ah, did not know this is a huge blocker. I will try.

I pushed mariadb 10.1.21-2 to [testing]. Please give it a try...
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpLInlQisKqG.pgp
Description: OpenPGP digital signature

Re: [arch-dev-public] OpenSSL 1.1.0

2017-02-24 Thread Christian Hesse 
Antonio Rojas  on Thu, 2017/02/23 21:42:
> El Thu, 23 Feb 2017 22:29:17 +0100, Christian Hesse escribió:
> 
> > Mariadb is still unsolved. There is a ticket in upstream jira [0] but it
> > does not carry anything useful. There's a reference for a review, but I
> > could not find the patch in mail archive. Will try to contact the
> > developers and express our interest...  
> 
> In the meantime, is temporarily switching to internal yassl (as Debian 
> does) an option? This is blocking all Qt rebuilds (which will also be a 
> pain themselves), so it would be nice to have a build in staging soonish.

Ah, did not know this is a huge blocker. I will try.
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgppwMfWz_kEx.pgp
Description: OpenPGP digital signature

Re: [arch-dev-public] OpenSSL 1.1.0

2017-02-23 Thread Baptiste Jonglez 
On Thu, Feb 23, 2017 at 10:29:17PM +0100, Christian Hesse wrote:
> > I will push the first set of packages to [staging]. Please avoid doing 
> > other rebuilds until this one is done.
> 
> Are you interested in details?

FWIW, Debian stretch has openssl 1.1.0, so I guess they had to adapt lots
of packages.

> Mariadb is still unsolved. There is a ticket in upstream jira [0] but it does
> not carry anything useful. There's a reference for a review, but I could not
> find the patch in mail archive. Will try to contact the developers and
> express our interest...

The debian package uses `-DWITH_SSL=bundled` [1] to avoid linking with the
system-wide openssl.  Not a great solution, though.

> Mupdf is a burden to maintain due to build system, bundled libraries and
> static linking. Looks like upstream is not yet interested in openssl 1.1.0...
> As I do not use it currently this will move to [community] if no one
> steps up. 

Can't you just drop the dependency on openssl?  What is it used for?
As far as I can tell, Debian does not build mupdf against openssl:

root@stretch:~# apt show mupdf
Package: mupdf
Version: 1.9a+ds1-4
Depends: libc6 (>= 2.15), libfreetype6 (>= 2.6), libharfbuzz0b (>= 0.9.11), 
libjbig2dec0 (>= 0.11), libjpeg62-turbo (>= 1.3.1), libopenjp2-7 (>= 2.0.0), 
libx11-6, libxext6, zlib1g (>= 1:1.2.0)
root@stretch:~# ldd /usr/lib/mupdf/mupdf-x11 | grep ssl
root@stretch:~# ldd /usr/lib/mupdf/mupdf-x11 | grep crypto
root@stretch:~#

I just tested building the package without openssl support (I had to patch
out references to openssl and libcrypto from Makerules, since openssl is
part of the base chroot when building), and it seems to work fine.

Baptiste

[1] https://packages.debian.org/stretch/libmariadbclient18



signature.asc
Description: PGP signature

Re: [arch-dev-public] OpenSSL 1.1.0

2017-02-23 Thread Antonio Rojas 
El Thu, 23 Feb 2017 22:29:17 +0100, Christian Hesse escribió:

> Mariadb is still unsolved. There is a ticket in upstream jira [0] but it
> does not carry anything useful. There's a reference for a review, but I
> could not find the patch in mail archive. Will try to contact the
> developers and express our interest...

In the meantime, is temporarily switching to internal yassl (as Debian 
does) an option? This is blocking all Qt rebuilds (which will also be a 
pain themselves), so it would be nice to have a build in staging soonish.

Re: [arch-dev-public] OpenSSL 1.1.0

2017-02-23 Thread Christian Hesse 
Pierre Schmitz  on Sat, 2017/02/11 09:32:
> On 29.01.2017 21:49, Pierre Schmitz wrote:
> > Hi,
> > 
> > I'd like to propose a migration to OpenSSL 1.1. The update comes with
> > ABI and API changes. Every linked packages needs to be rebuild. There
> > will likely be broken packages. Once the protobuf* rebuild has left
> > the [staging] repo I would like to upload a first set of OpenSSL 1.1
> > packages.
> > 
> > I have created a todo list of packages that either have a direct
> > dependency on openssl or link to libssl.so.1.0.0 or
> > libcrypto.so.1.0.0:
> >   https://www.archlinux.org/todo/openssl-110-rebuild/  
> 
> I will push the first set of packages to [staging]. Please avoid doing 
> other rebuilds until this one is done.

Are you interested in details?

I have a working version of openvpn, but it requires heavy patching. I will
wait for version 2.4.1 which has a lot of preparation (and with some luck is
ported completly). Will push an openssl rebuild then.
If anybody is interested... Raise your hands and let me know, I can provide
packages for testing.

Mariadb is still unsolved. There is a ticket in upstream jira [0] but it does
not carry anything useful. There's a reference for a review, but I could not
find the patch in mail archive. Will try to contact the developers and
express our interest...

Mupdf is a burden to maintain due to build system, bundled libraries and
static linking. Looks like upstream is not yet interested in openssl 1.1.0...
As I do not use it currently this will move to [community] if no one
steps up. 

[0] https://jira.mariadb.org/browse/MDEV-10332
-- 
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}


pgpwfhRpfg3L2.pgp
Description: OpenPGP digital signature

Re: [arch-dev-public] OpenSSL 1.1.0

2017-02-12 Thread Giancarlo Razzolini 

Em fevereiro 11, 2017 6:36 Pierre Schmitz escreveu:


For now I'd like to keep openssl. This might change when upstream 
projects might switch to libressl. ATM I do not see an objective reason 
to do so. If it is a drop in replacement a separate package could be 
provided.




Sure, as I said, it was just an idea. LibreSSL is mostly a drop-in replacement,
I was taking some time to analyze void and alpine switch and they had some 
issues
that they sorted out. OpenBSD had the same issue with their ports (several 
patches
were sent upstream) and they detected several poorly usage of the OpenSSL 
library.

Some of the poor usage was bad coding practices, and some was because the 
library
itself allowed. I think most upstream projects won't change to LibreSSL, either
OpenSSL compatible, or their libtls, for lack of interest in changing the status
quo. For some projects there is also money involved, but that's another issue
entirely.

I don't know if this is a chicken-egg issue, because downstream doesn't switch 
to
LibreSSL because upstream doesn't use LibreSSL, and so on. The main reason to 
switch
would be better security overall. But a secondary effect of that would be to 
force
upstream hand to either code properly or use a different library altogether.

If you are willing I could try to create a separate LibreSSL package, so 
individual
maintainers could build against either. I just don't see it being sustainable 
on the
long run.

Cheers,
Giancarlo Razzolini

pgpq4WkrPL5gj.pgp
Description: PGP signature

Re: [arch-dev-public] OpenSSL 1.1.0

2017-02-11 Thread Pierre Schmitz 

On 30.01.2017 14:09, Giancarlo Razzolini wrote:

Em janeiro 30, 2017 1:05 Allan McRae escreveu:


Please cite one example.   Every CVE I have seen that is of at least
high severity has affected both.  There have been some low severity 
ones

only affecting openssl.

Even worse, the fix time for libressl in the couple of issues I
monitored was worse than openssl.



I don't have a ready list, but I can make one, sure. One thing I can 
say
is that it wasn't *every*[0] high/critical CVE that affected both 
libraries.


And yes, I presume fix time will be somewhat worse than OpenSSL's, 
because

it is a portable version of a library mainly focused on OpenBSD.

As I said, it is a suggestion for us to consider instead of going 
OpenSSL 1.1
way. Both will be hard, but I think in the end we would be better off 
using

LibreSSL.

Cheers,
Giancarlo Razzolini

[0] https://en.wikipedia.org/wiki/LibreSSL


For now I'd like to keep openssl. This might change when upstream 
projects might switch to libressl. ATM I do not see an objective reason 
to do so. If it is a drop in replacement a separate package could be 
provided.


Greetings,

Pierre

--
Pierre Schmitz, https://pierre-schmitz.com

Re: [arch-dev-public] OpenSSL 1.1.0

2017-02-11 Thread Pierre Schmitz 

On 29.01.2017 21:49, Pierre Schmitz wrote:

Hi,

I'd like to propose a migration to OpenSSL 1.1. The update comes with
ABI and API changes. Every linked packages needs to be rebuild. There
will likely be broken packages. Once the protobuf* rebuild has left
the [staging] repo I would like to upload a first set of OpenSSL 1.1
packages.

I have created a todo list of packages that either have a direct
dependency on openssl or link to libssl.so.1.0.0 or
libcrypto.so.1.0.0:
  https://www.archlinux.org/todo/openssl-110-rebuild/


I will push the first set of packages to [staging]. Please avoid doing 
other rebuilds until this one is done.


Greetings,

Pierre

--
Pierre Schmitz, https://pierre-schmitz.com

Re: [arch-dev-public] OpenSSL 1.1.0

2017-01-30 Thread Giancarlo Razzolini 

Em janeiro 30, 2017 1:05 Allan McRae escreveu:


Please cite one example.   Every CVE I have seen that is of at least
high severity has affected both.  There have been some low severity ones
only affecting openssl.

Even worse, the fix time for libressl in the couple of issues I
monitored was worse than openssl.



I don't have a ready list, but I can make one, sure. One thing I can say
is that it wasn't *every*[0] high/critical CVE that affected both libraries.

And yes, I presume fix time will be somewhat worse than OpenSSL's, because
it is a portable version of a library mainly focused on OpenBSD.

As I said, it is a suggestion for us to consider instead of going OpenSSL 1.1
way. Both will be hard, but I think in the end we would be better off using
LibreSSL.

Cheers,
Giancarlo Razzolini

[0] https://en.wikipedia.org/wiki/LibreSSL

pgp7Hh0gkrjCA.pgp
Description: PGP signature

Re: [arch-dev-public] OpenSSL 1.1.0

2017-01-29 Thread Allan McRae 
On 30/01/17 08:30, Giancarlo Razzolini wrote:
> Em janeiro 29, 2017 20:04 Doug Newgard escreveu:
>>
>> I haven't heard all that much from/about LibreSSL since shortly after
>> the fork.
>> Care to share what advantages it would bring, and at what cost?
>>
> 
> The cost for rebuilding everything against OpenSSL 1.1 will probably be
> a big one.
> For LibreSSL, it would be even bigger. I think the main advantage, right
> away, is
> that LibreSSL has a considerably better security track, specially after
> their huge
> flensing.
> 
> I can only dream about the bugs that might lurk on both OpenSSL 1.1 and
> LibreSSL.
> But the defensive approach OpenBSD takes on LibreSSL already has paid
> off in terms
> of CVE's that didn't affected it, but were high/critical issues on OpenSSL.
> 

Please cite one example.   Every CVE I have seen that is of at least
high severity has affected both.  There have been some low severity ones
only affecting openssl.

Even worse, the fix time for libressl in the couple of issues I
monitored was worse than openssl.

A

Re: [arch-dev-public] OpenSSL 1.1.0

2017-01-29 Thread Giancarlo Razzolini 

Em janeiro 29, 2017 20:04 Doug Newgard escreveu:


I haven't heard all that much from/about LibreSSL since shortly after the fork.
Care to share what advantages it would bring, and at what cost?



The cost for rebuilding everything against OpenSSL 1.1 will probably be a big 
one.
For LibreSSL, it would be even bigger. I think the main advantage, right away, 
is
that LibreSSL has a considerably better security track, specially after their 
huge
flensing.

I can only dream about the bugs that might lurk on both OpenSSL 1.1 and 
LibreSSL.
But the defensive approach OpenBSD takes on LibreSSL already has paid off in 
terms
of CVE's that didn't affected it, but were high/critical issues on OpenSSL.

It would be a considerable effort, but since there will be some for 1.1, I 
thought
this to be the perfect opportunity for pushing an effort for LibreSSL instead.

I'm as of know searching Void and Alpine bug trackers for learning the issues 
they
faced (we should/could learn from theirs). We would probably need to bootstrap 
the
core tools like makepkg, pacman, curl, etc with static OpenSSL support for a 
while,
to make sure users can smoothly upgrade. Otherwise, I expect LibreSSL to be as 
much
compatible with the userland software as OpenSSL is.

Cheers,
Giancarlo Razzolini

pgpPoxfk01ojy.pgp
Description: PGP signature

Re: [arch-dev-public] OpenSSL 1.1.0

2017-01-29 Thread Doug Newgard 
On Sun, 29 Jan 2017 21:43:18 +
Giancarlo Razzolini  wrote:

> Em janeiro 29, 2017 18:49 Pierre Schmitz escreveu:
> > Hi,
> > 
> > I'd like to propose a migration to OpenSSL 1.1. The update comes with 
> > ABI and API changes.  
> 
> I don't know if it ever was discussed, but did we ever considered LibreSSL
> instead? There are some distros out there using it already using, I think
> the most recent convert was Alpine.
> 
> I know it would be a bigger step than simply adopting OpenSSL 1.1, but I
> also think it would be a better move, since we need to rebuild everything
> anyway. There will be breakage in both cases, but I think there is more to
> gain by switching to LibreSSL.
> 
> Cheers,
> Giancarlo Razzolini

I haven't heard all that much from/about LibreSSL since shortly after the fork.
Care to share what advantages it would bring, and at what cost?


pgpiFRCYQlxRM.pgp
Description: OpenPGP digital signature

Re: [arch-dev-public] OpenSSL 1.1.0

2017-01-29 Thread Giancarlo Razzolini 

Em janeiro 29, 2017 18:49 Pierre Schmitz escreveu:

Hi,

I'd like to propose a migration to OpenSSL 1.1. The update comes with 
ABI and API changes.


I don't know if it ever was discussed, but did we ever considered LibreSSL
instead? There are some distros out there using it already using, I think
the most recent convert was Alpine.

I know it would be a bigger step than simply adopting OpenSSL 1.1, but I
also think it would be a better move, since we need to rebuild everything
anyway. There will be breakage in both cases, but I think there is more to
gain by switching to LibreSSL.

Cheers,
Giancarlo Razzolini

pgpzRCNgQtKW3.pgp
Description: PGP signature

[arch-dev-public] OpenSSL 1.1.0

2017-01-29 Thread Pierre Schmitz 

Hi,

I'd like to propose a migration to OpenSSL 1.1. The update comes with 
ABI and API changes. Every linked packages needs to be rebuild. There 
will likely be broken packages. Once the protobuf* rebuild has left the 
[staging] repo I would like to upload a first set of OpenSSL 1.1 
packages.


I have created a todo list of packages that either have a direct 
dependency on openssl or link to libssl.so.1.0.0 or libcrypto.so.1.0.0:

  https://www.archlinux.org/todo/openssl-110-rebuild/

Further reading:
* https://wiki.openssl.org/index.php/1.1_API_Changes
* https://wiki.debian.org/OpenSSL-1.1
* https://lists.debian.org/debian-devel-announce/2016/11/msg1.html
* http://pkgs.fedoraproject.org/cgit/rpms/

*) https://www.archlinux.org/todo/protobuf-320/

Greetings,

Pierre

--
Pierre Schmitz, https://pierre-schmitz.com