Re: F26 System Wide Change: OpenSSL 1.1.0

On Thu, 2016-09-29 at 17:02 +, Ralf Senderek wrote: > > > What we should strive for is to limit the use of crypto to one of these  > > three libraries and avoid any additional ones with exception of  > > libgcrypt for gnupg2. > > This assumption ignores the fact that Cryptlib has joined

Re: F26 System Wide Change: OpenSSL 1.1.0

On Wed, 2016-09-28 at 11:43 -0400, Matthew Miller wrote: > >   The libraries that should be preferred instead of arbitrary other >   crypto stacks are (in the order of the preference): > >   1. NSS >   2. GNUTLS (with nettle as crypto backend, but nettle never used >    directly by

Re: F26 System Wide Change: OpenSSL 1.1.0

Tomas Mraz wrote: > My personal recommendation would be to follow the application's upstream > recommendation. This is of course the best approach, as the upstream project will have good reasons to use a particular crypto foundation for the project. > What we should strive for is to limit the

Re: F26 System Wide Change: OpenSSL 1.1.0

On 29 Sep 2016, at 08:51, Nikos Mavrogiannopoulos wrote: > I'd like to underline the part _preferrably the version recommended by > upstream_ of Packaging:CryptoPolicies. I believe it is best for us to > use the code that upstream primarily considers best for the > application.

Re: F26 System Wide Change: OpenSSL 1.1.0

On Wed, 2016-09-28 at 11:43 -0400, Matthew Miller wrote: > On Wed, Sep 28, 2016 at 03:13:34PM +0100, Tomasz Kłoczko wrote: > > > > Is it any official Fedora policy/call to move away from openssl? > > As far as I know, no. There was this attempt: >

Re: F26 System Wide Change: OpenSSL 1.1.0

On 28.9.2016 16:13, Tomasz Kłoczko wrote: BTW openssl changes. Is it any official Fedora policy/call to move away from openssl? I'm asking because I've noticed that some packages seems have been switched from openssl to gnutls. Examples of those packages is wget: * Tue Jul 26 2016 Tomas Hozza

Re: F26 System Wide Change: OpenSSL 1.1.0

> 1. NSS > 2. GNUTLS (with nettle as crypto backend, but nettle never used > directly by applications) > 3. OpenSSL > 4. libgcrypt > > and it might be reasonable to keep this as a "if possible, please prefer" policy rather than a mandate. Seems preferring gnutls over openssl is

Re: F26 System Wide Change: OpenSSL 1.1.0

On Wed, Sep 28, 2016 at 03:13:34PM +0100, Tomasz Kłoczko wrote: > Is it any official Fedora policy/call to move away from openssl? As far as I know, no. There was this attempt: https://fedoraproject.org/wiki/FedoraCryptoConsolidation but as the top of the page notes, the effort has been

Re: F26 System Wide Change: OpenSSL 1.1.0

On 28 Sep 2016, at 4:13 PM, Tomasz Kłoczko wrote: > BTW openssl changes. > It would be good to form kind of official guidline about using those > alternative libraries and start pushing to use only one. This is not always possible. I spent a long time debugging

Re: F26 System Wide Change: OpenSSL 1.1.0

* Tomasz Kłoczko [28/09/2016 15:13] : > > Is it any official Fedora policy/call to move away from openssl? We had plans to that effect a while back : http://fedoraproject.org/wiki/FedoraCryptoConsolidation Emmanuel ___ devel mailing list --

Re: F26 System Wide Change: OpenSSL 1.1.0

BTW openssl changes. Is it any official Fedora policy/call to move away from openssl? I'm asking because I've noticed that some packages seems have been switched from openssl to gnutls. Examples of those packages is wget: * Tue Jul 26 2016 Tomas Hozza - 1.18-2 - Switched

Re: F26 System Wide Change: OpenSSL 1.1.0

On Út, 2016-09-27 at 03:36 +1000, Timothy Ward wrote: > HHello > > Has there been any testing with libmobiledevice library and > especially > the gvfs-afc backend to this be able to connect to an idevice using > nautilus etc. The testing needs to be done on both new IOS 10.0.1 > and an older

Re: F26 System Wide Change: OpenSSL 1.1.0

HHello Has there been any testing with libmobiledevice library and especially the gvfs-afc backend to this be able to connect to an idevice using nautilus etc. The testing needs to be done on both new IOS 10.0.1 and an older version say 6.3.5 on an older idevice iphone 4. to ensure compatibility

Re: F26 System Wide Change: OpenSSL 1.1.0

On Mon, 2016-09-26 at 12:29 +0200, Tomas Mraz wrote: > My current plan is to just switch and rebuild fixing the FTBFS during > that. I want to persuade some of my colleagues to help me with that > (and of course community help is also welcome). > > Also we will be sharing the work with other

Re: F26 System Wide Change: OpenSSL 1.1.0

On Po, 2016-09-26 at 09:35 +0100, David Woodhouse wrote: > On Mon, 2016-09-26 at 10:09 +0200, Tomas Mraz wrote: > > > > My current plan is to not ship such engine-pkcs11 package. We > > should > > try to move everything to OpenSSL 1.1 and ship the 1.0.2 only as a > > compat package for third

Re: F26 System Wide Change: OpenSSL 1.1.0

On Mon, 2016-09-26 at 10:09 +0200, Tomas Mraz wrote: > My current plan is to not ship such engine-pkcs11 package. We should > try to move everything to OpenSSL 1.1 and ship the 1.0.2 only as a > compat package for third party binaries without -devel and any extra > bells and whistles. It would be

Re: F26 System Wide Change: OpenSSL 1.1.0

On So, 2016-09-24 at 00:52 +0100, David Woodhouse wrote: > On Tue, 2016-09-20 at 11:37 +0200, Tomas Mraz wrote: > > > > Well... we certainly need to port it sooner or later although I > > understand that effort will be quite non-trivial. > You mean port libp11? That's already working against

Re: F26 System Wide Change: OpenSSL 1.1.0

On Tue, 2016-09-20 at 11:37 +0200, Tomas Mraz wrote: > Well... we certainly need to port it sooner or later although I > understand that effort will be quite non-trivial. You mean port libp11? That's already working against OpenSSL 1.1, isn't it? We just need to ensure we can ship a version of

Re: F26 System Wide Change: OpenSSL 1.1.0

On Pá, 2016-09-16 at 15:06 +0100, David Woodhouse wrote: > On Fri, 2016-09-16 at 15:39 +0200, Jan Kurik wrote: > > > > We will also > > add compat openssl102 package so the applications and other > > dependencies which are not ported yet to the new API continue to > > work. > What plan do you

Re: F26 System Wide Change: OpenSSL 1.1.0

On Fri, 2016-09-16 at 16:39 +0200, Nikos Mavrogiannopoulos wrote: > On Fri, 2016-09-16 at 16:13 +0200, Dan Horák wrote: > > > > On Fri, 16 Sep 2016 15:06:13 +0100 > > David Woodhouse wrote: > > > > > > > > > > > On Fri, 2016-09-16 at 15:39 +0200, Jan Kurik wrote: > > > >

Re: F26 System Wide Change: OpenSSL 1.1.0

On Fri, 2016-09-16 at 16:13 +0200, Dan Horák wrote: > On Fri, 16 Sep 2016 15:06:13 +0100 > David Woodhouse wrote: > > > > > On Fri, 2016-09-16 at 15:39 +0200, Jan Kurik wrote: > > > > > > We will also > > > add compat openssl102 package so the applications and other > > >

Re: F26 System Wide Change: OpenSSL 1.1.0

On Fri, 16 Sep 2016 15:06:13 +0100 David Woodhouse wrote: > On Fri, 2016-09-16 at 15:39 +0200, Jan Kurik wrote: > > We will also > > add compat openssl102 package so the applications and other > > dependencies which are not ported yet to the new API continue to > > work. >

Re: F26 System Wide Change: OpenSSL 1.1.0

On Fri, 2016-09-16 at 15:39 +0200, Jan Kurik wrote: > We will also > add compat openssl102 package so the applications and other > dependencies which are not ported yet to the new API continue to work. What plan do you have for libp11 and engine_pkcs11? Packaging guidelines state that packages

F26 System Wide Change: OpenSSL 1.1.0

= Proposed System Wide Change: OpenSSL 1.1.0 = https://fedoraproject.org/wiki/Changes/OpenSSL110 Change owner(s): * Tomas Mraz Rebase of OpenSSL package to 1.1.0 version == Detailed Description == Update the OpenSSL library to the 1.1.0 branch in Fedora to bring multiple big improvements, new

F26 System Wide Change: OpenSSL 1.1.0

= Proposed System Wide Change: OpenSSL 1.1.0 = https://fedoraproject.org/wiki/Changes/OpenSSL110 Change owner(s): * Tomas Mraz Rebase of OpenSSL package to 1.1.0 version == Detailed Description == Update the OpenSSL library to the 1.1.0 branch in Fedora to bring multiple big improvements, new