Removing OpenSSL 1.0

DoneSubmitted by Leo Famulari.
Details
4 participants
  • Efraim Flashner
  • Leo Famulari
  • Ludovic Courtès
  • zimoun
Owner
unassigned
Severity
normal
Blocked by
L
L
Leo Famulari wrote on 17 Feb 22:26 +0100
(address . bug-guix@gnu.org)
YC2KDCevazOXaZxZ@jasmine.lan
OpenSSL 1.0 is no longer supported as free software. As researchcontinues, new bugs are discovered and there are no fixes available.
We should remove it soon. Since Qt 4 depends on it, we can remove themat the same time [0].
Some packages will probably have to be removed, since they depend onOpenSSL 1.0 and have not been updated to use more recent versions.
OpenSSL 1.0 is used in the Rust bootstrap, unfortunately, so we willhave to preserve some package of it, but it will be hidden.
Any thoughts?
[0] https://bugs.gnu.org/45704
L
L
Ludovic Courtès wrote on 22 Feb 10:15 +0100
control message for bug #46602
(address . control@debbugs.gnu.org)
87eeh8ea59.fsf@gnu.org
tags 46602 + securityquit
Z
Z
zimoun wrote on 25 Feb 20:01 +0100
Re: bug#46602: Removing OpenSSL 1.0
(name . Leo Famulari)(address . leo@famulari.name)(address . 46602@debbugs.gnu.org)
CAJ3okZ0ZcrcXtB0BbcfDh1PxG2k9K455Nd4w=3tPSn-KzcAW6g@mail.gmail.com
Hi Leo,
On Wed, 17 Feb 2021 at 22:43, Leo Famulari <leo@famulari.name> wrote:
Toggle quote (13 lines)>> OpenSSL 1.0 is no longer supported as free software. As research> continues, new bugs are discovered and there are no fixes available.>> We should remove it soon. Since Qt 4 depends on it, we can remove them> at the same time [0].>> Some packages will probably have to be removed, since they depend on> OpenSSL 1.0 and have not been updated to use more recent versions.>> OpenSSL 1.0 is used in the Rust bootstrap, unfortunately, so we will> have to preserve some package of it, but it will be hidden.
Well, it needs some care I guess.
$ guix refresh -l openssl@1.0Building the following 1930 packages would ensure 2048 dependentpackages are rebuilt
On the other hand, grepping for "openssl-1.0" returns:
16 matches12 files contained matches1522 files searched
File: distributed.scmFile: networking.scmFile: databases.scmFile: rust.scmFile: web-browsers.scmFile: android.scmFile: web.scmFile: crypto.scmFile: messaging.scmFile: ntp.scmFile: crates-io.scmFile: qt.scm
Therefore, a good start seems to try to build all the 16 packagesdepending on openssl@1.0 with openssl@1.1. And mark them with acomment if they fail. But I guess that openssl@1.0 is a strongrequirement for these 16 packages.
For instance, the package psyclpc (gnu packages messaging) could beremoved since it does not build and use openssl@1.0.
Cheers,simon
L
L
Leo Famulari wrote on 13 Jul 18:54 +0200
(name . zimoun)(address . zimon.toutoune@gmail.com)(address . 46602@debbugs.gnu.org)
YO3FK55jKaZc3g75@jasmine.lan
Here are my notes on the users of the openssl-1.0 package:
Toggle quote (2 lines)> File: networking.scm
pidentd:Does not build with current OpenSSL, no newer releases or developmentNo dependents
vde2:Does not build with current OpenSSL.Dependency changed to WolfSSL (unpackaged):https://github.com/virtualsquare/vde-2/issues/2Depended on by QEMU but not qemu-minimal (optional):
Toggle quote (2 lines)> File: web.scm
cadaver:Does not build with current OpenSSLLast release in 2009No dependents
Toggle quote (2 lines)> File: web-browsers.scm
dillo:Does not build with current OpenSSLStatus? https://www.dillo.org/Plans.htmlNo dependents
Toggle quote (2 lines)> File: android.scm
adb:Does not build with current OpenSSLSurely there is a new version of adb that supports the current OpenSSL.Depended on by fastboot
Toggle quote (2 lines)> File: crypto.scm
eschalot:Does not build with current OpenSSL, no newer releases or developmentNo dependents
Toggle quote (2 lines)> File: messaging.scm
psyclpc:Does not build with current OpenSSLNo dependents
Toggle quote (2 lines)> File: ntp.scm
tlsdate:Does not build with current OpenSSL. Forked by ChromiumOS as the projectis abandoned:https://github.com/ioerror/tlsdate/issues/199No dependents
Toggle quote (3 lines)> File: rust.scm> File: crates-io.scm
For the Rust bootstrap, we can keep openssl-1.0 as a hidden-package.Help wanted dealing with the crates that depend on openssl-1.0.
L
L
Leo Famulari wrote on 14 Jul 01:01 +0200
(no subject)
(address . control@debbugs.gnu.org)
YO4bTGp4MyCGHChs@jasmine.lan
block 46602 with 49556
L
L
Leo Famulari wrote on 14 Jul 01:03 +0200
Re: bug#46602: Removing OpenSSL 1.0
(name . zimoun)(address . zimon.toutoune@gmail.com)(address . 46602@debbugs.gnu.org)
YO4b2iBI9tdpiagH@jasmine.lan
On Tue, Jul 13, 2021 at 12:54:03PM -0400, Leo Famulari wrote:
Toggle quote (6 lines)> vde2:> Does not build with current OpenSSL.> Dependency changed to WolfSSL (unpackaged):> https://github.com/virtualsquare/vde-2/issues/2> Depended on by QEMU but not qemu-minimal (optional):
This is addressed by https://bugs.gnu.org/49556.
E
E
Efraim Flashner wrote on 20 Jul 20:55 +0200
(name . Leo Famulari)(address . leo@famulari.name)
YPccMSqkLO0N4exj@3900XT
On Tue, Jul 13, 2021 at 12:54:03PM -0400, Leo Famulari wrote:
Toggle quote (9 lines)> Here are my notes on the users of the openssl-1.0 package:> > > File: web-browsers.scm> > dillo:> Does not build with current OpenSSL> Status? https://www.dillo.org/Plans.html> No dependents
This one confuses me. I was able to build dillo with both openssl andopenssl-1.0, but I was unable to open that page with either version.
Toggle quote (7 lines)> > File: rust.scm> > File: crates-io.scm> > For the Rust bootstrap, we can keep openssl-1.0 as a hidden-package.> Help wanted dealing with the crates that depend on openssl-1.0.>
I can poke those I guess, see what we can drop openssl-1.0 as an inputfor and see if anything breaks.
-- Efraim Flashner <efraim@flashner.co.il> אפרים פלשנרGPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351Confidentiality cannot be guaranteed on emails sent or received unencrypted
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmD3HC4ACgkQQarn3Mo9g1HwLw//TET1H3APeBktxr00qIRF3REWrF6h43fro5fo/fiGyyhB88SggLjYklrZUGdxZ8OsBr8rMGiQ4JApJVjwE8Bysq5ZHbu+4EEw79ukIZvi2DdGHyLOKb/juF3y6Viss17qwp4po3VjuLfrp/oiSAFnUcr42RKSp/msS4CwwAbUX/exg+51nFBUM9G+KX3W4JGdS7E3enRvvS5iLgPSVLaYNkjlE5zaiZHnpPWybZQN75mxwWZAxDSKu/T0TwBgSzlKuoSMJBFFNLXYiPyCURw2+M5AVqVdzM3rOIbXZPMYWQmZUsliBklfJnXYsACAawxfXas7xHjJ4hUE8YOJsQvaoRgLNiBMpB+UeXP85DbYpZtYVFlIRLgF8aJ+sW5Qf8Uq/S8SKqPkLNqqWDpKWh6/+eg78mxnHO0DAR8auO7Qa9treehjCAd8V1YXFXEIW0PF12KibFiVJXCBs+6D24MIyNfdrXcp00QRd4F/F18M5C9c8Zckmj9bTG7gbEaTzsW3CntpEaBi0NXhzivUO/Ozr0YXo51RN4Pb3eFHw7DJUCmDm7zMw+as/iPmIC/oYDT+NttWjNE5WPepRUKow094otsq1cAHSQqDPGi0rihIRvlKbObS9RB/RPHyK45SPeZAzOnUGTjpVBsSIm03b5DiCtCIhLNu1iUyRajw3VbJvVc==XYwi-----END PGP SIGNATURE-----

E
E
Efraim Flashner wrote on 20 Jul 21:06 +0200
YPce0xv62sK4K7Dk@3900XT
On Tue, Jul 20, 2021 at 09:55:45PM +0300, Efraim Flashner wrote:
Toggle quote (13 lines)> On Tue, Jul 13, 2021 at 12:54:03PM -0400, Leo Famulari wrote:> > Here are my notes on the users of the openssl-1.0 package:> > > > File: rust.scm> > > File: crates-io.scm> > > > For the Rust bootstrap, we can keep openssl-1.0 as a hidden-package.> > Help wanted dealing with the crates that depend on openssl-1.0.> > > > I can poke those I guess, see what we can drop openssl-1.0 as an input> for and see if anything breaks.
They were only needed for the rust-sha1@0.2 test suite, so easy toremove and nothing broke.

-- Efraim Flashner <efraim@flashner.co.il> אפרים פלשנרGPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351Confidentiality cannot be guaranteed on emails sent or received unencrypted
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmD3HtMACgkQQarn3Mo9g1HF6RAAqzgq/gin34fGJJ/aTS/mDxHvjWUpXtJ1oOVpTwHQRyzVZ9TDc5V4gJsP1NfvnJ0JaLsnxK2vXQRb++6cRx4LgAVcHl7kIFx8lGZtoKeUOuNCQVIrkLDBeJLqpqJMZ6MbzU9WQayNFNsaRt6rv0VAWn9IIsEgs4QJ6/mLaRqAWCACSBm2bK/bSeKvsDfu0HmBRUCRtpBgumdVT65Cm/S1tashermgjaINiAlGHJX6NBftzjcqLi1zeL5nBy9oCiHltAmx6aE/aaPI9qiwDEqxz1LmjDRZ20lLOpmnQe26W0mhchZfcingSnhMS4nxCUo7ysG5rGJlWoY9Q8sW2qtXMHTksl+c5DGkykWe1PDKjdd5bxOMUEOpxnEN3KCbvbGOdWcIXEDjYyUGKwTSzYjCVM+syQBA2K6LtjpD7rovBnK/+noimD6Ex9ZF983xDOAvcrX+BQ4n0ijtCA9QO5znInbAyl0FTumpK2qfDSz3msEaVEkc0mUN/FfcvIavK5dXALQA+B4VWR2dt7lJiTwY2bSBjB78hWaTzqZliHjeVNQAf0yOkzbk/KZt+q7XfY26+qCAs17Ush6n6xral1EkFh8qwRzZ/CK4HruprmZqOmIl0PzCHle7ZKpZHNmm3k/R/pYR+7okBC6cL3ylGfDHZ8QCp1qxMZDNEauMQplJT2w==76Yu-----END PGP SIGNATURE-----

L
L
Leo Famulari wrote on 4 Aug 03:04 +0200
YQnnmmfzB1B3P55a@jasmine.lan
On Tue, Jul 20, 2021 at 09:55:45PM +0300, Efraim Flashner wrote:
Toggle quote (9 lines)> On Tue, Jul 13, 2021 at 12:54:03PM -0400, Leo Famulari wrote:> > dillo:> > Does not build with current OpenSSL> > Status? https://www.dillo.org/Plans.html> > No dependents> > This one confuses me. I was able to build dillo with both openssl and> openssl-1.0, but I was unable to open that page with either version.
I built Dillo with OpenSSL 1.1 and saw this in the output of the'configure' phase:
------checking openssl/ssl.h usability... yeschecking openssl/ssl.h presence... yeschecking for openssl/ssl.h... yeschecking for SSL_library_init in -lssl... noconfigure: WARNING: *** No libssl found. Disabling ssl support.***------
So, it builds but lacks TLS / HTTPS support.
I think we should either remove OpenSSL as a dependency of Dillo, orremove Dillo altogether. It's a simple package definition and Dillousers can use it in a private channel, or maybe it could be added toguix-past.
L
L
Leo Famulari wrote on 4 Aug 03:10 +0200
YQno9NgQfUfFEqhT@jasmine.lan
On Tue, Aug 03, 2021 at 09:04:26PM -0400, Leo Famulari wrote:
Toggle quote (5 lines)> I think we should either remove OpenSSL as a dependency of Dillo, or> remove Dillo altogether. It's a simple package definition and Dillo> users can use it in a private channel, or maybe it could be added to> guix-past.
I sent a patch to remove Dillo:
https://bugs.gnu.org/49859
L
L
Leo Famulari wrote on 4 Aug 03:27 +0200
YQntDxNVnQ/kSjxQ@jasmine.lan
On Tue, Aug 03, 2021 at 09:10:12PM -0400, Leo Famulari wrote:
Toggle quote (4 lines)> I sent a patch to remove Dillo:> > <https://bugs.gnu.org/49859>
Actually, I went ahead and sent some followup patches to removeeverything else, too. Except for VDE-2, which there is a patch for.
L
L
Leo Famulari wrote on 11 Aug 19:58 +0200
(no subject)
(address . control@debbugs.gnu.org)
YRQPz0Hj/SRPoJ/F@jasmine.lan
block 46602 with 49859
L
L
Leo Famulari wrote on 15 Aug 19:43 +0200
(address . control@debbugs.gnu.org)
4f66aed1-def0-4f4f-9544-59c0221484d6@www.fastmail.com
block 46602 with 50029
L
L
Leo Famulari wrote on 16 Aug 00:12 +0200
YRmRP3NlC2jULask@jasmine.lan
With commit 12099eac1b161d364be923451d27d7d739d0f14d, nothing is usingopenssl-1.0 except for the Rust bootstrap.
If I understand correctly, the plan is to "upgrade" that bootstrap path,and eventually we won't need a package of openssl-1.0 at all.
I'm marking this bug as done.
Closed
Z
Z
zimoun wrote on 31 Aug 11:27 +0200
865yvmotf2.fsf@gmail.com
Hi Leo,
On Sun, 15 Aug 2021 at 18:12, Leo Famulari <leo@famulari.name> wrote:
Toggle quote (8 lines)> With commit 12099eac1b161d364be923451d27d7d739d0f14d, nothing is using> openssl-1.0 except for the Rust bootstrap.>> If I understand correctly, the plan is to "upgrade" that bootstrap path,> and eventually we won't need a package of openssl-1.0 at all.>> I'm marking this bug as done.
Cool! Thanks for the work.
On a side sad note, I point that 168 packages not named ’rust’ dependssomehow on ’rust’.
$ guix refresh -l -e '(@@ (gnu packages tls) openssl-1.0)' \ | sed 's/ /\n/g' | grep '@' \ | grep -v rust | wc -l 168
And I am surprised that ’mplayer’ or ’guile-gnunet’ appears there.Well, I am also surprised that “guix graph” does not report it.
Toggle snippet (4 lines)$ guix graph --path guile-gnunet -e '(@@ (gnu packages tls) openssl-1.0)'guix graph: erreur : pas de chemin de « guile-gnunet@0.0-1.d12167a » à « openssl@1.0.2u »
Maybe I miss something somewhere.
Cheers,simon
Closed
E
E
Efraim Flashner wrote on 31 Aug 11:57 +0200
(name . zimoun)(address . zimon.toutoune@gmail.com)
YS39EY9wT8Zg9lRH@3900XT
On Tue, Aug 31, 2021 at 11:27:45AM +0200, zimoun wrote:
Toggle quote (32 lines)> Hi Leo,> > On Sun, 15 Aug 2021 at 18:12, Leo Famulari <leo@famulari.name> wrote:> > With commit 12099eac1b161d364be923451d27d7d739d0f14d, nothing is using> > openssl-1.0 except for the Rust bootstrap.> >> > If I understand correctly, the plan is to "upgrade" that bootstrap path,> > and eventually we won't need a package of openssl-1.0 at all.> >> > I'm marking this bug as done.> > Cool! Thanks for the work.> > On a side sad note, I point that 168 packages not named ’rust’ depends> somehow on ’rust’.> > $ guix refresh -l -e '(@@ (gnu packages tls) openssl-1.0)' \> | sed 's/ /\n/g' | grep '@' \> | grep -v rust | wc -l> 168> > And I am surprised that ’mplayer’ or ’guile-gnunet’ appears there.> Well, I am also surprised that “guix graph” does not report it.> > --8<---------------cut here---------------start------------->8---> $ guix graph --path guile-gnunet -e '(@@ (gnu packages tls) openssl-1.0)'> guix graph: erreur : pas de chemin de « guile-gnunet@0.0-1.d12167a » à « openssl@1.0.2u »> --8<---------------cut here---------------end--------------->8---> > Maybe I miss something somewhere.>
`git grep \,openssl-1.0' only shows one entry.
The others probably come through ffmpeg (through rav1e) or rust-cbindgenor otherwise actually depend on some other compiled rust library. Notsure where gnunet comes from though.
-- Efraim Flashner <efraim@flashner.co.il> רנשלפ םירפאGPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351Confidentiality cannot be guaranteed on emails sent or received unencrypted
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEoov0DD5VE3JmLRT3Qarn3Mo9g1EFAmEt/Q4ACgkQQarn3Mo9g1GwEg/9HifAMc4XYnnN0Z8aP+j14NXnd06+8htfv8gy1dvmmisUtPryqgM90FkHBPKctq5vseMD+nUMuBae6hitXvJqe5fzhFEkrt9EeMT6lxgDq3I20ynuNgzeDg0rIKNhwRQSIgQTGWV41Bb8lrUl4Fcy+pv7hmLz+5f2QNtBzeyNxJQo/7TZ3pfDn58fwMVvsKkj/XbefyBAgmqdahnhmOui5BQhQszLxeyr3IXfXVSDe3eKKruNhw6ENoS7ShwcIecYdZ2LOI31IoZbyPW1LIyDKfXdMkpzXll9O2G0WdqKAiaoDzIeA7bfb+kcpfHyVoO+LeRB2Rqmb/ARu65q7A2+GL8CQhzAPePB5fKwWsP/QMdNc+sBq3DbnxT0AokRRvlkDipTIpgiv90pOLcRS0m0IPt/9fEMmaB6QDAwCxqFoeCtcIdNMmvMsIoIgVQuiAmjxC6q/OhfkwyzfwG/BnaY6dD0YKLVdtCbmWOMJMHQZw5iAvS5PS2H0znm28gRRHxYQHGz+fmaMErtwWDc/o6scsRw5G08s3H8Y18pJbPaPkL2FlgSzIegSRSKIlR976El38wEQ7+d+bkyUp09Y224PC8Ur6F84aYunq8Z20nSVGYo5lNMeatdQ0qRlu+CRcMvufHBPeyMzwDOfUMwrLW8Kf9Kv31fawvAR9bpbrVJEFw==+LEh-----END PGP SIGNATURE-----

Closed
Z
Z
zimoun wrote on 31 Aug 12:31 +0200
(name . Efraim Flashner)(address . efraim@flashner.co.il)
86y28hoqh6.fsf@gmail.com
Hi,
On Tue, 31 Aug 2021 at 12:57, Efraim Flashner <efraim@flashner.co.il> wrote:
Toggle quote (16 lines)> On Tue, Aug 31, 2021 at 11:27:45AM +0200, zimoun wrote:
>> --8<---------------cut here---------------start------------->8--->> $ guix graph --path guile-gnunet -e '(@@ (gnu packages tls) openssl-1.0)'>> guix graph: erreur : pas de chemin de « guile-gnunet@0.0-1.d12167a » à « openssl@1.0.2u »>> --8<---------------cut here---------------end--------------->8--->> >> Maybe I miss something somewhere.>> >> `git grep \,openssl-1.0' only shows one entry.>> The others probably come through ffmpeg (through rav1e) or rust-cbindgen> or otherwise actually depend on some other compiled rust library. Not> sure where gnunet comes from though.
Yeah, what I missed was the type for “guix graph”. :-)
Toggle snippet (31 lines)$ guix graph --path guile-gnunet -e '(@@ (gnu packages tls) openssl-1.0)' -t bag-emergedguile-gnunet@0.0-1.d12167agnunet@0.13.1libextractor@1.11ffmpeg@4.4rav1e@0.4.1rust@1.45.2rust@1.44.1rust@1.43.0rust@1.42.0rust@1.41.1rust@1.40.0rust@1.39.0rust@1.38.0rust@1.37.0rust@1.36.0rust@1.35.0rust@1.34.1rust@1.33.0rust@1.32.0rust@1.31.1rust@1.30.1rust@1.29.2rust@1.28.0rust@1.27.2rust@1.26.2rust@1.25.0openssl@1.0.2u

Cheers,simon
Closed
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send email to 46602@debbugs.gnu.org