On Tue, Sep 10, 2024 at 12:26:02PM +0200, Neal Gompa wrote: > On Tue, Sep 10, 2024 at 12:20 PM Daniel P. Berrangé <berrange@xxxxxxxxxx> wrote: > > > > On Tue, Sep 10, 2024 at 12:14:58PM +0200, Neal Gompa wrote: > > > On Fri, Sep 1, 2023 at 6:11 AM Neal Gompa <ngompa13@xxxxxxxxx> wrote: > > > > > > > > I'm bumping this thread again to ask if we can make everyone's lives > > > > easier by dropping all the hobbling we do today to OpenSSL, nettle, > > > > etc.. We *definitely* don't need it now at this point, so it's just > > > > needless work that creates a lot of second-order pain for people (such > > > > as library bindings for other programming languages). > > > > > > The annual bump on this thread to once again ask if we can make > > > progress on this issue. It's a pain and I really don't think we have > > > any reason to keep doing it anymore. > > > > It appears the maintainers of openssl & nettle have *already* removed > > hobbling from Fedora > > > > In netle dist-git: > > > > commit 478b2083882071d9102297b4f0c022f65d567b1e > > Author: Daiki Ueno <dueno@xxxxxxxxxx> > > Date: Thu Aug 22 14:25:26 2024 +0900 > > > > Switch from hobbling to patching to disable algorithms > > > > Previously, certain algorithms, such as smaller ECC curves, were > > "hobbled" using the hobble-nettle script. It is now allowed to include > > the algorithm implementation in the source package, though we still > > want to disable them at build time. > > > > This patch switches to using a patch-based approach to disable > > them. That way, the packaging process is simplified as well as the > > integrity of upstream release can be checked using %gpgverify. > > > > Signed-off-by: Daiki Ueno <dueno@xxxxxxxxxx> > > > > > > And in openssl dist-git: > > > > commit 477bb5e652b21c76dccaf690d2327af8f86bd16f > > Author: Sahana Prasad <sahana@xxxxxxxxxx> > > Date: Tue Mar 14 17:07:58 2023 +0100 > > > > - Upload new upstream sources without manually hobbling them. > > - Remove the hobbling script as it is redundant. It is now allowed to ship > > the sources of patented EC curves, however it is still made unavailable to use > > by compiling with the 'no-ec2m' Configure option. The additional forbidden > > curves such as P-160, P-192, wap-tls curves are manually removed by updating > > 0011-Remove-EC-curves.patch. > > - Apply the changes to ec_curve.c and ectest.c as a new patch > > 0010-Add-changes-to-ectest-and-eccurve.patch instead of replacing them. > > - Modify 0011-Remove-EC-curves.patch to allow Brainpool curves. > > - Modify 0011-Remove-EC-curves.patch to allow code under macro OPENSSL_NO_EC2M. > > ┊ Resolves: rhbz#2130618, rhbz#2141672 > > > > Signed-off-by: Sahana Prasad <sahana@xxxxxxxxxx> > > Right, but that's still hobbling by other means. I'm asking for us to > consider not doing even *that* anymore. Ah ok, so you want Fedora to build & ship all algorithms that are implemented by upstream, with no downstream filtering. ie no hobbling source tarballs, no applying source patches, no disabling via configure time build args ? With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
