On Tue, Sep 10, 2024, 12:39 PM Daniel P. Berrangé <berrange@xxxxxxxxxx> wrote:
On Tue, Sep 10, 2024 at 12:26:02PM +0200, Neal Gompa wrote:
> On Tue, Sep 10, 2024 at 12:20 PM Daniel P. Berrangé <berrange@xxxxxxxxxx> wrote:
> >
> > On Tue, Sep 10, 2024 at 12:14:58PM +0200, Neal Gompa wrote:
> > > On Fri, Sep 1, 2023 at 6:11 AM Neal Gompa <ngompa13@xxxxxxxxx> wrote:
> > > >
> > > > I'm bumping this thread again to ask if we can make everyone's lives
> > > > easier by dropping all the hobbling we do today to OpenSSL, nettle,
> > > > etc.. We *definitely* don't need it now at this point, so it's just
> > > > needless work that creates a lot of second-order pain for people (such
> > > > as library bindings for other programming languages).
> > >
> > > The annual bump on this thread to once again ask if we can make
> > > progress on this issue. It's a pain and I really don't think we have
> > > any reason to keep doing it anymore.
> >
> > It appears the maintainers of openssl & nettle have *already* removed
> > hobbling from Fedora
> >
> > In netle dist-git:
> >
> > commit 478b2083882071d9102297b4f0c022f65d567b1e
> > Author: Daiki Ueno <dueno@xxxxxxxxxx>
> > Date: Thu Aug 22 14:25:26 2024 +0900
> >
> > Switch from hobbling to patching to disable algorithms
> >
> > Previously, certain algorithms, such as smaller ECC curves, were
> > "hobbled" using the hobble-nettle script. It is now allowed to include
> > the algorithm implementation in the source package, though we still
> > want to disable them at build time.
> >
> > This patch switches to using a patch-based approach to disable
> > them. That way, the packaging process is simplified as well as the
> > integrity of upstream release can be checked using %gpgverify.
> >
> > Signed-off-by: Daiki Ueno <dueno@xxxxxxxxxx>
> >
> >
> > And in openssl dist-git:
> >
> > commit 477bb5e652b21c76dccaf690d2327af8f86bd16f
> > Author: Sahana Prasad <sahana@xxxxxxxxxx>
> > Date: Tue Mar 14 17:07:58 2023 +0100
> >
> > - Upload new upstream sources without manually hobbling them.
> > - Remove the hobbling script as it is redundant. It is now allowed to ship
> > the sources of patented EC curves, however it is still made unavailable to use
> > by compiling with the 'no-ec2m' Configure option. The additional forbidden
> > curves such as P-160, P-192, wap-tls curves are manually removed by updating
> > 0011-Remove-EC-curves.patch.
> > - Apply the changes to ec_curve.c and ectest.c as a new patch
> > 0010-Add-changes-to-ectest-and-eccurve.patch instead of replacing them.
> > - Modify 0011-Remove-EC-curves.patch to allow Brainpool curves.
> > - Modify 0011-Remove-EC-curves.patch to allow code under macro OPENSSL_NO_EC2M.
> > ┊ Resolves: rhbz#2130618, rhbz#2141672
> >
> > Signed-off-by: Sahana Prasad <sahana@xxxxxxxxxx>
>
> Right, but that's still hobbling by other means. I'm asking for us to
> consider not doing even *that* anymore.
Ah ok, so you want Fedora to build & ship all algorithms that are
implemented by upstream, with no downstream filtering. ie no hobbling
source tarballs, no applying source patches, no disabling via configure
time build args ?
Yes, because all of it massively complicates stuff that builds on them, particularly binding modules to connect them to other language ecosystems.
-- _______________________________________________ legal mailing list -- legal@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to legal-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/legal@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
