Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 762850 - dev-libs/openssl: revisit USE=bindist (again)
Summary: dev-libs/openssl: revisit USE=bindist (again)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Board of Trustees
URL:
Whiteboard:
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2020-12-31 23:45 UTC by Michał Górny
Modified: 2021-12-13 16:34 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-12-31 23:45:56 UTC
See https://archives.gentoo.org/gentoo-dev/message/2bb16c9fcc53a995936ff9bb73e624ed


Let's update things if possible (can we maybe remove USE=bindist altogether?) before we start suggesting transition from LibreSSL.
Comment 1 Hanno Böck gentoo-dev 2021-01-01 08:04:23 UTC
I'm pretty sure we can remove bindist here.

Looking at what it does it calls the hobble-openssl script, which is supposed to remove various patented features. From the comment:

# Clean out patent-or-otherwise-encumbered code.
# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
# IDEA:  5,214,703 07/01/2012 - expired, we do not remove it anymore
# RC5:   5,724,428 01/11/2015 - expired, we do not remove it anymore
# EC:    ????????? ??/??/2020
# SRP:   ????????? ??/??/2017 - expired, we do not remove it anymore

So most of that is already obsolete for a while, the only remaining thing being Elliptic Curves.

The last ECC patent of concern is this:
https://patents.google.com/patent/US6782100

And it expired 2020.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2021-01-01 15:41:39 UTC
I tend to close this bug as duplicate of bug 531540 to keep history together.

In the end, the people who decided that we need to add USE=bindist to that package (Foundation, license team) are the only one who can decide 'this is no longer needed' and nobody else (keep in mind that hobble patch was added just 'recently' in 2017 so there might be additional reasons and quoted note from hobble patch is from Fedora upstream, but does not necessarily reflect the reasons for Gentoo's decision to add USE=bindist for the package a long time ago).
Comment 3 Mike Gilbert gentoo-dev 2021-01-01 16:14:31 UTC
Do we have these mysterious reasons documented anywhere?
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2021-01-01 18:33:00 UTC
I don't know and since CSV is gone I also don't where to start my research at the moment. That's also why I am thinking about merging these bugs and get attention from people involved in previous change.
Comment 5 Mike Gilbert gentoo-dev 2021-01-01 20:30:06 UTC
(In reply to Thomas Deutschmann from comment #4)
> I don't know and since CSV is gone I also don't where to start my research
> at the moment.

The gentoo-x86 CVS repository was converted to git several years ago.

https://gitweb.gentoo.org/repo/gentoo/historical.git/

> That's also why I am thinking about merging these bugs and
> get attention from people involved in previous change.

Maybe ask for feedback on the other bug and give people 30 days to respond.
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2021-01-10 00:22:54 UTC
@ Foundation Trustees:

In your meeting from 2017-10-22 as stated in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bdd5c9e7d6a375e99b3ae89afd4517a3a5786df2 you decided to apply changes to dev-libs/openssl package.

It was now requested to drop USE=bindist because reasons why this was applied (patents?) no longer exist.

Please review, confirm and grant permission to drop USE=bindist to allow base-system to proceed.

Thank you.
Comment 7 Alec Warner (RETIRED) archtester gentoo-dev Security 2021-01-10 01:38:48 UTC
(In reply to Thomas Deutschmann from comment #6)
> @ Foundation Trustees:
> 
> In your meeting from 2017-10-22 as stated in
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=bdd5c9e7d6a375e99b3ae89afd4517a3a5786df2 you decided to apply changes to
> dev-libs/openssl package.
> 
> It was now requested to drop USE=bindist because reasons why this was
> applied (patents?) no longer exist.
> 
> Please review, confirm and grant permission to drop USE=bindist to allow
> base-system to proceed.
> 
> Thank you.

Will discuss and get back to you.

-A
Comment 8 Alec Warner (RETIRED) archtester gentoo-dev Security 2021-01-22 23:37:30 UTC
We are waiting to hear back from Fedora, as we are unlikely to afford our own counsel here we are likely to take similar action as them.

-A
Comment 9 Ulrich Müller gentoo-dev 2021-01-23 12:52:11 UTC
Since I notice that Trustees aren't in CC of the other bug, repeating the question of bug 531540 comment #62 here also:

Trustees voted in their 2017-10-22 meeting that they are going to talk to Debian:
https://projects.gentoo.org/foundation/2017/20171022.log.txt

[19:44:34] <prometheanfire> patch 1.1, talk to debian, (try to backport for 1.0 OR work on getting 1.1 stable)
[19:44:42] <zlg> yes
[19:44:47] <prometheanfire> yes
[19:44:56] <dabbott> yes
[19:45:14] <kensington> Abstain 
[19:45:16] <zlg> (side note: where is releng? it'd be nice to hear from them)
[19:45:48] <prometheanfire> alicef: ?
[19:45:50] <alicef> abstein
[19:45:52] <prometheanfire> k
[19:45:58] <robbat2> jmbsvicetto has been busy with IRL stuff, so I'm the closest you have to releng here
[19:46:03] <robbat2> as the releng-infra liason
[19:46:11] <prometheanfire> we have quorum

What was the outcome of the "talk to Debian" part?
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-16 19:20:05 UTC
ping trustees
Comment 11 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2021-06-27 22:28:01 UTC
Fedora's legal department has not responded to the inquiry, and Fedora also continues to ship the "hobbled" OpenSSL (USE=bindist):
https://src.fedoraproject.org/rpms/openssl/c/0f5f931f9a64a3fe3221c75ed799914cfd90b0db?branch=rawhide

Since they didn't respond to direct inquries, I've also filed this RH ticket:
https://bugzilla.redhat.com/show_bug.cgi?id=1976662
Comment 12 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-06-28 01:15:51 UTC
(In reply to Robin Johnson from comment #11)
> [snip]
> Since they didn't respond to direct inquries, I've also filed this RH ticket:
> https://bugzilla.redhat.com/show_bug.cgi?id=1976662

Thanks a bunch for filing this!

Another note: =dev-libs/openssl-3.0* has lost USE=bindist, but I'm not aware of why.

@base-system: could you let us know? Are the algorithms completely gone (this seems strange but possible)?
Comment 13 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2021-07-07 04:36:35 UTC
RedHat has closed the ticket and stated we should email a list instead. The list includes mails as recently as last year that denied EC usage.
Comment 14 Hanno Böck gentoo-dev 2021-09-11 13:56:51 UTC
(In reply to Robin Johnson from comment #13)
> RedHat has closed the ticket and stated we should email a list instead. The
> list includes mails as recently as last year that denied EC usage.

The linked post seems to be related to the fact that redhat disables support for brainpool curves in a variety of applications. But there's no explanation given why they do that. This does not seem to be related to the issue we're discussing here.

It seems to me that some people here are waiting for an answer from redhat, but redhat is not willing to give us one.

However I also don't think we need one. These patches were there due to concerns about patents that expired in 2020. They're no longer relevant.
Comment 15 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2021-09-16 03:22:39 UTC
hanno, mgorny:
Redhat's Legal says they still have concerns about enabling EC, and that Fedora/RHEL should NOT ship it yet.

Their concerns are not limited to Brainpool, but cover further parts of EC as well.
Comment 16 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-09-16 07:04:24 UTC
(In reply to Robin Johnson from comment #15)
> hanno, mgorny:
> Redhat's Legal says they still have concerns about enabling EC, and that
> Fedora/RHEL should NOT ship it yet.
> 
> Their concerns are not limited to Brainpool, but cover further parts of EC
> as well.

Can they share these concerns, or are these just vague statements?
Comment 18 Larry the Git Cow gentoo-dev 2021-12-03 04:26:29 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=91c1a70f4c8d56e56e2445bbd123ed286f8d1444

commit 91c1a70f4c8d56e56e2445bbd123ed286f8d1444
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-09-12 09:14:07 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-03 04:26:20 +0000

    net-misc/openssh: Update for openssl/ldns bindist update
    
    Bug: https://bugs.gentoo.org/762850
    Signed-off-by: Michał Górny <mgorny@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/18894
    Signed-off-by: Sam James <sam@gentoo.org>

 net-misc/openssh/openssh-8.7_p1-r3.ebuild | 503 ++++++++++++++++++++++++++++++
 net-misc/openssh/openssh-8.8_p1-r3.ebuild | 503 ++++++++++++++++++++++++++++++
 2 files changed, 1006 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cd50b985a05a1c702e24a876361191fe0f22efc0

commit cd50b985a05a1c702e24a876361191fe0f22efc0
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2021-09-12 09:12:10 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-03 04:26:19 +0000

    net-libs/ldns: Update for dev-libs/openssl bindist update
    
    Bug: https://bugs.gentoo.org/762850
    Signed-off-by: Michał Górny <mgorny@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/ldns/ldns-1.7.1-r6.ebuild                 | 103 +++++++++++++++++++++
 .../{ldns-1.8.0-r1.ebuild => ldns-1.8.0-r2.ebuild} |   9 --
 2 files changed, 103 insertions(+), 9 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f448b05c0c596479972d0fed25847fabd277f26b

commit f448b05c0c596479972d0fed25847fabd277f26b
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-03 04:06:43 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-03 04:26:18 +0000

    net-wireless/wpa_supplicant: drop OpenSSL bindist kludge
    
    Not needed anymore now that (stable) OpenSSL now lacks USE=bindist;
    see news item for more information.
    
    Originally added in fed37693d6442a4ec65e121c80ad2f52b6d93335, the
    changes were/are just to allow building wpa_supplicant against
    openssl[bindist] rather than anything shipped within wpa_supplicant
    that might have patent issues, etc.
    
    Bug: https://bugs.gentoo.org/762850
    Signed-off-by: Sam James <sam@gentoo.org>

 ...-2.9-r6.ebuild => wpa_supplicant-2.9-r7.ebuild} | 40 ++++++++----------
 .../wpa_supplicant/wpa_supplicant-9999.ebuild      | 49 ++++++++++++----------
 2 files changed, 43 insertions(+), 46 deletions(-)
Comment 19 Larry the Git Cow gentoo-dev 2021-12-03 04:39:05 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d07f49b07110bd211a32aea3d9656372a31379c0

commit d07f49b07110bd211a32aea3d9656372a31379c0
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-03 04:38:28 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-03 04:38:50 +0000

    net-wireless/wpa_supplicant: fix bindist removal
    
    I'd gone back and tried to sync live and ended up with a monstrosity.
    
    Bug: https://bugs.gentoo.org/762850
    Signed-off-by: Sam James <sam@gentoo.org>

 ...a_supplicant-2.9-r7.ebuild => wpa_supplicant-2.9-r8.ebuild} |  2 +-
 net-wireless/wpa_supplicant/wpa_supplicant-9999.ebuild         | 10 +---------
 2 files changed, 2 insertions(+), 10 deletions(-)
Comment 20 Larry the Git Cow gentoo-dev 2021-12-03 04:50:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0de4fa6c810cfc668e2dcefd12a940e724bea791

commit 0de4fa6c810cfc668e2dcefd12a940e724bea791
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-03 04:49:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-03 04:50:27 +0000

    dev-libs/softhsm: adapt for OpenSSL bindist changes
    
    OpenSSL no longer has a bindist flag.
    
    Bug: https://bugs.gentoo.org/762850
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/softhsm/softhsm-2.6.1-r2.ebuild | 48 ++++++++++++++++++++++++++++++++
 1 file changed, 48 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf8b737346f396dff1e0d0c8541b3f1c4fd88583

commit cf8b737346f396dff1e0d0c8541b3f1c4fd88583
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-03 04:48:35 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-03 04:50:26 +0000

    dev-libs/pkcs11-helper: adapt for OpenSSL bindist changes
    
    OpenSSL no longer has a bindist flag.
    
    Bug: https://bugs.gentoo.org/762850
    Signed-off-by: Sam James <sam@gentoo.org>

 .../pkcs11-helper/pkcs11-helper-1.27.0-r1.ebuild   | 47 ++++++++++++++++++++++
 1 file changed, 47 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43c40c442031ddec003f197980a5725a2c685b1f

commit 43c40c442031ddec003f197980a5725a2c685b1f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-03 04:47:32 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-03 04:50:25 +0000

    dev-libs/libp11: adapt for OpenSSL bindist changes
    
    OpenSSL no longer has a bindist flag.
    
    Bug: https://bugs.gentoo.org/762850
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/libp11/libp11-0.4.11-r2.ebuild | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=06fa4c0bc9591084cafe39051681fd34b8741209

commit 06fa4c0bc9591084cafe39051681fd34b8741209
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-03 04:46:44 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-03 04:50:24 +0000

    dev-libs/botan: adapt for OpenSSL bindist changes
    
    OpenSSL no longer has a bindist flag.
    
    Bug: https://bugs.gentoo.org/762850
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/botan/botan-2.18.2-r1.ebuild | 164 ++++++++++++++++++++++++++++++++++
 1 file changed, 164 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b9d4c0b7e53d4aafbdc4b8614d888875486f3772

commit b9d4c0b7e53d4aafbdc4b8614d888875486f3772
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-03 04:45:57 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-03 04:50:23 +0000

    sys-apps/ucspi-ssl: adapt for OpenSSL bindist changes
    
    OpenSSL no longer has a bindist flag.
    
    Bug: https://bugs.gentoo.org/762850
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-apps/ucspi-ssl/ucspi-ssl-0.99e-r2.ebuild | 61 ++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3342af84d7fab35f298c8da001ca7135a7ad2f26

commit 3342af84d7fab35f298c8da001ca7135a7ad2f26
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-03 04:43:48 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-03 04:50:22 +0000

    app-crypt/xca: adapt for OpenSSL bindist changes
    
    OpenSSL no longer has a bindist flag.
    
    Bug: https://bugs.gentoo.org/762850
    Signed-off-by: Sam James <sam@gentoo.org>

 app-crypt/xca/xca-2.4.0-r2.ebuild | 71 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 71 insertions(+)
Comment 21 Larry the Git Cow gentoo-dev 2021-12-03 04:55:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0df88e1c6cf4ea52ef1516d66ca4f1542a99f12

commit b0df88e1c6cf4ea52ef1516d66ca4f1542a99f12
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-03 04:36:37 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-03 04:55:07 +0000

    dev-qt/qtnetwork: drop USE=bindist for OpenSSL changes
    
    OpenSSL no longer has USE=bindist.
    
    Bug: https://bugs.gentoo.org/762850
    Signed-off-by: Sam James <sam@gentoo.org>
    Closes: https://github.com/gentoo/gentoo/pull/23156
    Signed-off-by: Sam James <sam@gentoo.org>

 .../{qtnetwork-5.15.2-r12.ebuild => qtnetwork-5.15.2-r13.ebuild}      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
Comment 22 Larry the Git Cow gentoo-dev 2021-12-03 05:13:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96158bff11f511f6c7d440d239a8897011ef657c

commit 96158bff11f511f6c7d440d239a8897011ef657c
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-03 05:12:42 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-12-03 05:12:45 +0000

    net-libs/gnutls: adapt for OpenSSL bindist changes
    
    OpenSSL no longer has a bindist flag.
    
    (Test only dependency so no revbump required really.)
    
    Bug: https://bugs.gentoo.org/762850
    Signed-off-by: Sam James <sam@gentoo.org>

 net-libs/gnutls/gnutls-3.7.2.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 23 Larry the Git Cow gentoo-dev 2021-12-13 16:34:55 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/qt.git/commit/?id=d3c7da917da39096761b7dcdf10c43a23bea8a81

commit d3c7da917da39096761b7dcdf10c43a23bea8a81
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2021-12-03 04:36:37 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-12-13 16:34:32 +0000

    dev-qt/qtnetwork: drop USE=bindist for OpenSSL changes
    
    OpenSSL no longer has USE=bindist.
    
    Bug: https://bugs.gentoo.org/762850
    Signed-off-by: Sam James <sam@gentoo.org>
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtnetwork/qtnetwork-5.15.2.9999.ebuild | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)