Let's update things if possible (can we maybe remove USE=bindist altogether?) before we start suggesting transition from LibreSSL.
I'm pretty sure we can remove bindist here.
Looking at what it does it calls the hobble-openssl script, which is supposed to remove various patented features. From the comment:
# Clean out patent-or-otherwise-encumbered code.
# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
# IDEA: 5,214,703 07/01/2012 - expired, we do not remove it anymore
# RC5: 5,724,428 01/11/2015 - expired, we do not remove it anymore
# EC: ????????? ??/??/2020
# SRP: ????????? ??/??/2017 - expired, we do not remove it anymore
So most of that is already obsolete for a while, the only remaining thing being Elliptic Curves.
The last ECC patent of concern is this:
And it expired 2020.
I tend to close this bug as duplicate of bug 531540 to keep history together.
In the end, the people who decided that we need to add USE=bindist to that package (Foundation, license team) are the only one who can decide 'this is no longer needed' and nobody else (keep in mind that hobble patch was added just 'recently' in 2017 so there might be additional reasons and quoted note from hobble patch is from Fedora upstream, but does not necessarily reflect the reasons for Gentoo's decision to add USE=bindist for the package a long time ago).
Do we have these mysterious reasons documented anywhere?
I don't know and since CSV is gone I also don't where to start my research at the moment. That's also why I am thinking about merging these bugs and get attention from people involved in previous change.
(In reply to Thomas Deutschmann from comment #4)
> I don't know and since CSV is gone I also don't where to start my research
> at the moment.
The gentoo-x86 CVS repository was converted to git several years ago.
> That's also why I am thinking about merging these bugs and
> get attention from people involved in previous change.
Maybe ask for feedback on the other bug and give people 30 days to respond.
@ Foundation Trustees:
In your meeting from 2017-10-22 as stated in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bdd5c9e7d6a375e99b3ae89afd4517a3a5786df2 you decided to apply changes to dev-libs/openssl package.
It was now requested to drop USE=bindist because reasons why this was applied (patents?) no longer exist.
Please review, confirm and grant permission to drop USE=bindist to allow base-system to proceed.
(In reply to Thomas Deutschmann from comment #6)
> @ Foundation Trustees:
> In your meeting from 2017-10-22 as stated in
> ?id=bdd5c9e7d6a375e99b3ae89afd4517a3a5786df2 you decided to apply changes to
> dev-libs/openssl package.
> It was now requested to drop USE=bindist because reasons why this was
> applied (patents?) no longer exist.
> Please review, confirm and grant permission to drop USE=bindist to allow
> base-system to proceed.
> Thank you.
Will discuss and get back to you.
We are waiting to hear back from Fedora, as we are unlikely to afford our own counsel here we are likely to take similar action as them.
Since I notice that Trustees aren't in CC of the other bug, repeating the question of bug 531540 comment #62 here also:
Trustees voted in their 2017-10-22 meeting that they are going to talk to Debian:
[19:44:34] <prometheanfire> patch 1.1, talk to debian, (try to backport for 1.0 OR work on getting 1.1 stable)
[19:44:42] <zlg> yes
[19:44:47] <prometheanfire> yes
[19:44:56] <dabbott> yes
[19:45:14] <kensington> Abstain
[19:45:16] <zlg> (side note: where is releng? it'd be nice to hear from them)
[19:45:48] <prometheanfire> alicef: ?
[19:45:50] <alicef> abstein
[19:45:52] <prometheanfire> k
[19:45:58] <robbat2> jmbsvicetto has been busy with IRL stuff, so I'm the closest you have to releng here
[19:46:03] <robbat2> as the releng-infra liason
[19:46:11] <prometheanfire> we have quorum
What was the outcome of the "talk to Debian" part?
Fedora's legal department has not responded to the inquiry, and Fedora also continues to ship the "hobbled" OpenSSL (USE=bindist):
Since they didn't respond to direct inquries, I've also filed this RH ticket:
(In reply to Robin Johnson from comment #11)
> Since they didn't respond to direct inquries, I've also filed this RH ticket:
Thanks a bunch for filing this!
Another note: =dev-libs/openssl-3.0* has lost USE=bindist, but I'm not aware of why.
@base-system: could you let us know? Are the algorithms completely gone (this seems strange but possible)?
RedHat has closed the ticket and stated we should email a list instead. The list includes mails as recently as last year that denied EC usage.
(In reply to Robin Johnson from comment #13)
> RedHat has closed the ticket and stated we should email a list instead. The
> list includes mails as recently as last year that denied EC usage.
The linked post seems to be related to the fact that redhat disables support for brainpool curves in a variety of applications. But there's no explanation given why they do that. This does not seem to be related to the issue we're discussing here.
It seems to me that some people here are waiting for an answer from redhat, but redhat is not willing to give us one.
However I also don't think we need one. These patches were there due to concerns about patents that expired in 2020. They're no longer relevant.
Redhat's Legal says they still have concerns about enabling EC, and that Fedora/RHEL should NOT ship it yet.
Their concerns are not limited to Brainpool, but cover further parts of EC as well.
(In reply to Robin Johnson from comment #15)
> hanno, mgorny:
> Redhat's Legal says they still have concerns about enabling EC, and that
> Fedora/RHEL should NOT ship it yet.
> Their concerns are not limited to Brainpool, but cover further parts of EC
> as well.
Can they share these concerns, or are these just vague statements?