Removing OpenSSL 1.0

OpenSubmitted by Leo Famulari.
Details
3 participants
  • Leo Famulari
  • Ludovic Courtès
  • zimoun
Owner
unassigned
Severity
normal
L
L
Leo Famulari wrote on 17 Feb 22:26 +0100
(address . bug-guix@gnu.org)
YC2KDCevazOXaZxZ@jasmine.lan
OpenSSL 1.0 is no longer supported as free software. As researchcontinues, new bugs are discovered and there are no fixes available.
We should remove it soon. Since Qt 4 depends on it, we can remove themat the same time [0].
Some packages will probably have to be removed, since they depend onOpenSSL 1.0 and have not been updated to use more recent versions.
OpenSSL 1.0 is used in the Rust bootstrap, unfortunately, so we willhave to preserve some package of it, but it will be hidden.
Any thoughts?
[0] https://bugs.gnu.org/45704
L
L
Ludovic Courtès wrote on 22 Feb 10:15 +0100
control message for bug #46602
(address . control@debbugs.gnu.org)
87eeh8ea59.fsf@gnu.org
tags 46602 + securityquit
Z
Z
zimoun wrote on 25 Feb 20:01 +0100
Re: bug#46602: Removing OpenSSL 1.0
(name . Leo Famulari)(address . leo@famulari.name)(address . 46602@debbugs.gnu.org)
CAJ3okZ0ZcrcXtB0BbcfDh1PxG2k9K455Nd4w=3tPSn-KzcAW6g@mail.gmail.com
Hi Leo,
On Wed, 17 Feb 2021 at 22:43, Leo Famulari <leo@famulari.name> wrote:
Toggle quote (13 lines)>> OpenSSL 1.0 is no longer supported as free software. As research> continues, new bugs are discovered and there are no fixes available.>> We should remove it soon. Since Qt 4 depends on it, we can remove them> at the same time [0].>> Some packages will probably have to be removed, since they depend on> OpenSSL 1.0 and have not been updated to use more recent versions.>> OpenSSL 1.0 is used in the Rust bootstrap, unfortunately, so we will> have to preserve some package of it, but it will be hidden.
Well, it needs some care I guess.
$ guix refresh -l openssl@1.0Building the following 1930 packages would ensure 2048 dependentpackages are rebuilt
On the other hand, grepping for "openssl-1.0" returns:
16 matches12 files contained matches1522 files searched
File: distributed.scmFile: networking.scmFile: databases.scmFile: rust.scmFile: web-browsers.scmFile: android.scmFile: web.scmFile: crypto.scmFile: messaging.scmFile: ntp.scmFile: crates-io.scmFile: qt.scm
Therefore, a good start seems to try to build all the 16 packagesdepending on openssl@1.0 with openssl@1.1. And mark them with acomment if they fail. But I guess that openssl@1.0 is a strongrequirement for these 16 packages.
For instance, the package psyclpc (gnu packages messaging) could beremoved since it does not build and use openssl@1.0.
Cheers,simon
?