[Fedora-legal-list] Re: Request to stop hobbling crypto libraries

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Sep 1, 2023 at 6:11 AM Neal Gompa <ngompa13@xxxxxxxxx> wrote:
>
> On Thu, Sep 29, 2022 at 3:45 PM Fabio Valentini <decathorpe@xxxxxxxxx> wrote:
> >
> > On Thu, Sep 29, 2022 at 9:31 PM Neal Gompa <ngompa13@xxxxxxxxx> wrote:
> > >
> > > On Thu, Sep 29, 2022 at 7:57 PM Jilayne Lovejoy <jlovejoy@xxxxxxxxxx> wrote:
> > > >
> > > > Hi Neal,
> > > >
> > > > Thanks for raising this here. I saw some of the thread on devel, but when thread get long, it's sometimes hard to know what the specific ask is.
> > > >
> > > > To that end, could you provide a bit of a description as to what is currently being done in terms of "hobbling" OpenSSL? Just a high-level description would be helpful for context and a reminder as to the current state.
> > > >
> > >
> > > The hobble-openssl script was designed to prune from the OpenSSL
> > > source code a number of cryptographic algorithms that were patent
> > > encumbered. Over the years, the script has been pruned of things to
> > > purge as patents expired. However, the remaining things the script
> > > indicates it prunes today all expired during the pandemic. Currently,
> > > it prunes Elliptic Curve Cryptography (ECC, or otherwise called EC
> > > crypto) code. The script documentation indicates the patents related
> > > to it expired in 2020, so we should be able to drop it entirely.
> > >
> > > > Also, am I correct to assume that by "use pristine OpenSSL sources" - the desired outcome it to be able to package OpenSSL for Fedora straight from the upstream project without needing to remove something or otherwise modify the upstream source in order to package it for Fedora?
> > > >
> > >
> > > Yes.
> >
> > The same applies to nettle ... their "hobbling" script removes code
> > for some elliptic curves, some of which are actually already enabled
> > in OpenSSL. It would be great if nettle could use "un-hobbled"
> > sources, as well.
> >
> > For example, I need to manually patch the nettle bindings for Rust to
> > remove wrappers for these functions ... they're not used by Sequoia
> > OpenPGP, but it's still a lot of manual work for nothing.
> >
>
> I'm bumping this thread again to ask if we can make everyone's lives
> easier by dropping all the hobbling we do today to OpenSSL, nettle,
> etc.. We *definitely* don't need it now at this point, so it's just
> needless work that creates a lot of second-order pain for people (such
> as library bindings for other programming languages).
>
>

The annual bump on this thread to once again ask if we can make
progress on this issue. It's a pain and I really don't think we have
any reason to keep doing it anymore.



-- 
真実はいつも一つ!/ Always, there's only one truth!
-- 
_______________________________________________
legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Gnome Users]     [KDE Users]

  Powered by Linux