Removing OpenSSL 1.0

Done

Details

4 participants

Efraim Flashner
Leo Famulari
Ludovic Courtès
zimoun

Owner: unassigned

Submitted by: Leo Famulari

Severity: normal

Blocked by

Leo Famulari wrote on 17 Feb 2021 22:26

Recipients:(address . bug-guix@gnu.org)

Message-ID:YC2KDCevazOXaZxZ@jasmine.lan

OpenSSL 1.0 is no longer supported as free software. As research

continues, new bugs are discovered and there are no fixes available.

We should remove it soon. Since Qt 4 depends on it, we can remove them

at the same time [0].

Some packages will probably have to be removed, since they depend on

OpenSSL 1.0 and have not been updated to use more recent versions.

OpenSSL 1.0 is used in the Rust bootstrap, unfortunately, so we will

have to preserve some package of it, but it will be hidden.

Any thoughts?

[0] https://bugs.gnu.org/45704

Ludovic Courtès wrote on 22 Feb 2021 10:15

control message for bug #46602

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87eeh8ea59.fsf@gnu.org

tags 46602 + security

quit

zimoun wrote on 25 Feb 2021 20:01

Re: bug#46602: Removing OpenSSL 1.0

Recipients:(name . Leo Famulari)(address . leo@famulari.name)(address . 46602@debbugs.gnu.org)

Message-ID:CAJ3okZ0ZcrcXtB0BbcfDh1PxG2k9K455Nd4w=3tPSn-KzcAW6g@mail.gmail.com

Hi Leo,

On Wed, 17 Feb 2021 at 22:43, Leo Famulari <leo@famulari.name> wrote:

Toggle quote (13 lines)>
> OpenSSL 1.0 is no longer supported as free software. As research
> continues, new bugs are discovered and there are no fixes available.
>
> We should remove it soon. Since Qt 4 depends on it, we can remove them
> at the same time [0].
>
> Some packages will probably have to be removed, since they depend on
> OpenSSL 1.0 and have not been updated to use more recent versions.
>
> OpenSSL 1.0 is used in the Rust bootstrap, unfortunately, so we will
> have to preserve some package of it, but it will be hidden.

Well, it needs some care I guess.

$ guix refresh -l openssl@1.0

Building the following 1930 packages would ensure 2048 dependent

packages are rebuilt

On the other hand, grepping for "openssl-1.0" returns:

16 matches

12 files contained matches

1522 files searched

File: distributed.scm

File: networking.scm

File: databases.scm

File: rust.scm

File: web-browsers.scm

File: android.scm

File: web.scm

File: crypto.scm

File: messaging.scm

File: ntp.scm

File: crates-io.scm

File: qt.scm

Therefore, a good start seems to try to build all the 16 packages

depending on openssl@1.0 with openssl@1.1. And mark them with a

comment if they fail. But I guess that openssl@1.0 is a strong

requirement for these 16 packages.

For instance, the package psyclpc (gnu packages messaging) could be

removed since it does not build and use openssl@1.0.

Cheers,

simon

Leo Famulari wrote on 13 Jul 2021 18:54

Recipients:(name . zimoun)(address . zimon.toutoune@gmail.com)(address . 46602@debbugs.gnu.org)

Message-ID:YO3FK55jKaZc3g75@jasmine.lan

Here are my notes on the users of the openssl-1.0 package:

Toggle quote (2 lines)

> File: networking.scm

pidentd:

Does not build with current OpenSSL, no newer releases or development

No dependents

vde2:

Does not build with current OpenSSL.

Dependency changed to WolfSSL (unpackaged):

https://github.com/virtualsquare/vde-2/issues/2

Depended on by QEMU but not qemu-minimal (optional):

Toggle quote (2 lines)

> File: web.scm

cadaver:

Does not build with current OpenSSL

Last release in 2009

No dependents

Toggle quote (2 lines)

> File: web-browsers.scm

dillo:

Does not build with current OpenSSL

Status? https://www.dillo.org/Plans.html

No dependents

Toggle quote (2 lines)

> File: android.scm

adb:

Does not build with current OpenSSL

Surely there is a new version of adb that supports the current OpenSSL.

Depended on by fastboot

Toggle quote (2 lines)

> File: crypto.scm

eschalot:

Does not build with current OpenSSL, no newer releases or development

No dependents

Toggle quote (2 lines)

> File: messaging.scm

psyclpc:

Does not build with current OpenSSL

No dependents

Toggle quote (2 lines)

> File: ntp.scm

tlsdate:
Does not build with current OpenSSL. Forked by ChromiumOS as the project
is abandoned:
https://github.com/ioerror/tlsdate/issues/199
No dependents

Toggle quote (3 lines)

> File: rust.scm

> File: crates-io.scm

For the Rust bootstrap, we can keep openssl-1.0 as a hidden-package.

Help wanted dealing with the crates that depend on openssl-1.0.

Leo Famulari wrote on 14 Jul 2021 01:01

(no subject)

Recipients:(address . control@debbugs.gnu.org)

Message-ID:YO4bTGp4MyCGHChs@jasmine.lan

block 46602 with 49556

Leo Famulari wrote on 14 Jul 2021 01:03

Re: bug#46602: Removing OpenSSL 1.0

Recipients:(name . zimoun)(address . zimon.toutoune@gmail.com)(address . 46602@debbugs.gnu.org)

Message-ID:YO4b2iBI9tdpiagH@jasmine.lan

On Tue, Jul 13, 2021 at 12:54:03PM -0400, Leo Famulari wrote:

Toggle quote (6 lines)

> vde2:

> Does not build with current OpenSSL.

> Dependency changed to WolfSSL (unpackaged):

> https://github.com/virtualsquare/vde-2/issues/2

> Depended on by QEMU but not qemu-minimal (optional):

This is addressed by https://bugs.gnu.org/49556.

Efraim Flashner wrote on 20 Jul 2021 20:55

Recipients:(name . Leo Famulari)(address . leo@famulari.name)

Message-ID:YPccMSqkLO0N4exj@3900XT

On Tue, Jul 13, 2021 at 12:54:03PM -0400, Leo Famulari wrote:

Toggle quote (9 lines)

> Here are my notes on the users of the openssl-1.0 package:

> > File: web-browsers.scm

> dillo:

> Does not build with current OpenSSL

> Status? https://www.dillo.org/Plans.html

> No dependents

This one confuses me. I was able to build dillo with both openssl and

openssl-1.0, but I was unable to open that page with either version.

Toggle quote (7 lines)

> > File: rust.scm

> > File: crates-io.scm

> For the Rust bootstrap, we can keep openssl-1.0 as a hidden-package.

> Help wanted dealing with the crates that depend on openssl-1.0.

I can poke those I guess, see what we can drop openssl-1.0 as an input
for and see if anything breaks.

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted

Efraim Flashner wrote on 20 Jul 2021 21:06

Recipients:

Message-ID:YPce0xv62sK4K7Dk@3900XT

On Tue, Jul 20, 2021 at 09:55:45PM +0300, Efraim Flashner wrote:

Toggle quote (13 lines)> On Tue, Jul 13, 2021 at 12:54:03PM -0400, Leo Famulari wrote:
> > Here are my notes on the users of the openssl-1.0 package:
> 
> > > File: rust.scm
> > > File: crates-io.scm
> > 
> > For the Rust bootstrap, we can keep openssl-1.0 as a hidden-package.
> > Help wanted dealing with the crates that depend on openssl-1.0.
> > 
> 
> I can poke those I guess, see what we can drop openssl-1.0 as an input
> for and see if anything breaks.

They were only needed for the rust-sha1@0.2 test suite, so easy to

remove and nothing broke.

Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר

GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351

Confidentiality cannot be guaranteed on emails sent or received unencrypted

Leo Famulari wrote on 4 Aug 2021 03:04

Recipients:

Message-ID:YQnnmmfzB1B3P55a@jasmine.lan

On Tue, Jul 20, 2021 at 09:55:45PM +0300, Efraim Flashner wrote:

Toggle quote (9 lines)

> On Tue, Jul 13, 2021 at 12:54:03PM -0400, Leo Famulari wrote:

> > dillo:

> > Does not build with current OpenSSL

> > Status? https://www.dillo.org/Plans.html

> > No dependents

> This one confuses me. I was able to build dillo with both openssl and

> openssl-1.0, but I was unable to open that page with either version.

I built Dillo with OpenSSL 1.1 and saw this in the output of the
'configure' phase:

------
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking for SSL_library_init in -lssl... no
configure: WARNING: *** No libssl found. Disabling ssl support.***
------

So, it builds but lacks TLS / HTTPS support.

I think we should either remove OpenSSL as a dependency of Dillo, or
remove Dillo altogether. It's a simple package definition and Dillo
users can use it in a private channel, or maybe it could be added to
guix-past.

Leo Famulari wrote on 4 Aug 2021 03:10

Recipients:

Message-ID:YQno9NgQfUfFEqhT@jasmine.lan

On Tue, Aug 03, 2021 at 09:04:26PM -0400, Leo Famulari wrote:

Toggle quote (5 lines)

> I think we should either remove OpenSSL as a dependency of Dillo, or

> remove Dillo altogether. It's a simple package definition and Dillo

> users can use it in a private channel, or maybe it could be added to

> guix-past.

I sent a patch to remove Dillo:

https://bugs.gnu.org/49859

Leo Famulari wrote on 4 Aug 2021 03:27

Recipients:

Message-ID:YQntDxNVnQ/kSjxQ@jasmine.lan

On Tue, Aug 03, 2021 at 09:10:12PM -0400, Leo Famulari wrote:

Toggle quote (4 lines)

> I sent a patch to remove Dillo:

> <https://bugs.gnu.org/49859>

Actually, I went ahead and sent some followup patches to remove

everything else, too. Except for VDE-2, which there is a patch for.

Leo Famulari wrote on 11 Aug 2021 19:58

(no subject)

Recipients:(address . control@debbugs.gnu.org)

Message-ID:YRQPz0Hj/SRPoJ/F@jasmine.lan

block 46602 with 49859

Leo Famulari wrote on 15 Aug 2021 19:43

Recipients:(address . control@debbugs.gnu.org)

Message-ID:4f66aed1-def0-4f4f-9544-59c0221484d6@www.fastmail.com

block 46602 with 50029

Leo Famulari wrote on 16 Aug 2021 00:12

Recipients:

Message-ID:YRmRP3NlC2jULask@jasmine.lan

With commit 12099eac1b161d364be923451d27d7d739d0f14d, nothing is using

openssl-1.0 except for the Rust bootstrap.

If I understand correctly, the plan is to "upgrade" that bootstrap path,

and eventually we won't need a package of openssl-1.0 at all.

I'm marking this bug as done.

Closed

zimoun wrote on 31 Aug 2021 11:27

Recipients:

Message-ID:865yvmotf2.fsf@gmail.com

Hi Leo,

On Sun, 15 Aug 2021 at 18:12, Leo Famulari <leo@famulari.name> wrote:

Toggle quote (8 lines)

> With commit 12099eac1b161d364be923451d27d7d739d0f14d, nothing is using

> openssl-1.0 except for the Rust bootstrap.

> If I understand correctly, the plan is to "upgrade" that bootstrap path,

> and eventually we won't need a package of openssl-1.0 at all.

> I'm marking this bug as done.

Cool! Thanks for the work.

On a side sad note, I point that 168 packages not named ’rust’ depends

somehow on ’rust’.

$ guix refresh -l -e '(@@ (gnu packages tls) openssl-1.0)' \

| sed 's/ /\n/g' | grep '@' \

| grep -v rust | wc -l

168

And I am surprised that ’mplayer’ or ’guile-gnunet’ appears there.

Well, I am also surprised that “guix graph” does not report it.

Toggle snippet (4 lines)

$ guix graph --path guile-gnunet -e '(@@ (gnu packages tls) openssl-1.0)'

guix graph: erreur : pas de chemin de « guile-gnunet@0.0-1.d12167a » à « openssl@1.0.2u »

Maybe I miss something somewhere.

Cheers,

simon

Closed

Efraim Flashner wrote on 31 Aug 2021 11:57

Recipients:(name . zimoun)(address . zimon.toutoune@gmail.com)

Message-ID:YS39EY9wT8Zg9lRH@3900XT

On Tue, Aug 31, 2021 at 11:27:45AM +0200, zimoun wrote:

Toggle quote (32 lines)> Hi Leo,
> 
> On Sun, 15 Aug 2021 at 18:12, Leo Famulari <leo@famulari.name> wrote:
> > With commit 12099eac1b161d364be923451d27d7d739d0f14d, nothing is using
> > openssl-1.0 except for the Rust bootstrap.
> >
> > If I understand correctly, the plan is to "upgrade" that bootstrap path,
> > and eventually we won't need a package of openssl-1.0 at all.
> >
> > I'm marking this bug as done.
> 
> Cool!  Thanks for the work.
> 
> On a side sad note, I point that 168 packages not named ’rust’ depends
> somehow on ’rust’.
> 
>         $ guix refresh -l -e '(@@ (gnu packages tls) openssl-1.0)' \
>                | sed 's/ /\n/g' | grep '@' \
>                | grep -v rust | wc -l
>         168
> 
> And I am surprised that ’mplayer’ or ’guile-gnunet’ appears there.
> Well, I am also surprised that “guix graph” does not report it.
> 
> --8<---------------cut here---------------start------------->8---
> $ guix graph --path guile-gnunet -e '(@@ (gnu packages tls) openssl-1.0)'
> guix graph: erreur : pas de chemin de « guile-gnunet@0.0-1.d12167a » à « openssl@1.0.2u »
> --8<---------------cut here---------------end--------------->8---
> 
> Maybe I miss something somewhere.
> 

`git grep \,openssl-1.0' only shows one entry.

The others probably come through ffmpeg (through rav1e) or rust-cbindgen

or otherwise actually depend on some other compiled rust library. Not

sure where gnunet comes from though.

Efraim Flashner <efraim@flashner.co.il> רנשלפ םירפא

GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351

Confidentiality cannot be guaranteed on emails sent or received unencrypted

Closed

zimoun wrote on 31 Aug 2021 12:31

Recipients:(name . Efraim Flashner)(address . efraim@flashner.co.il)

Message-ID:86y28hoqh6.fsf@gmail.com

Hi,

On Tue, 31 Aug 2021 at 12:57, Efraim Flashner <efraim@flashner.co.il> wrote:

Toggle quote (16 lines)> On Tue, Aug 31, 2021 at 11:27:45AM +0200, zimoun wrote:

>> --8<---------------cut here---------------start------------->8---
>> $ guix graph --path guile-gnunet -e '(@@ (gnu packages tls) openssl-1.0)'
>> guix graph: erreur : pas de chemin de « guile-gnunet@0.0-1.d12167a » à « openssl@1.0.2u »
>> --8<---------------cut here---------------end--------------->8---
>> 
>> Maybe I miss something somewhere.
>> 
>
> `git grep \,openssl-1.0' only shows one entry.
>
> The others probably come through ffmpeg (through rav1e) or rust-cbindgen
> or otherwise actually depend on some other compiled rust library. Not
> sure where gnunet comes from though.

Yeah, what I missed was the type for “guix graph”. :-)

Toggle snippet (31 lines)$ guix graph --path guile-gnunet -e '(@@ (gnu packages tls) openssl-1.0)' -t bag-emerged
guile-gnunet@0.0-1.d12167a
gnunet@0.13.1
libextractor@1.11
ffmpeg@4.4
rav1e@0.4.1
rust@1.45.2
rust@1.44.1
rust@1.43.0
rust@1.42.0
rust@1.41.1
rust@1.40.0
rust@1.39.0
rust@1.38.0
rust@1.37.0
rust@1.36.0
rust@1.35.0
rust@1.34.1
rust@1.33.0
rust@1.32.0
rust@1.31.1
rust@1.30.1
rust@1.29.2
rust@1.28.0
rust@1.27.2
rust@1.26.2
rust@1.25.0
openssl@1.0.2u

Cheers,

simon

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 46602@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date