See https://archives.gentoo.org/gentoo-dev/message/2bb16c9fcc53a995936ff9bb73e624ed Let's update things if possible (can we maybe remove USE=bindist altogether?) before we start suggesting transition from LibreSSL.
I'm pretty sure we can remove bindist here. Looking at what it does it calls the hobble-openssl script, which is supposed to remove various patented features. From the comment: # Clean out patent-or-otherwise-encumbered code. # MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway # IDEA: 5,214,703 07/01/2012 - expired, we do not remove it anymore # RC5: 5,724,428 01/11/2015 - expired, we do not remove it anymore # EC: ????????? ??/??/2020 # SRP: ????????? ??/??/2017 - expired, we do not remove it anymore So most of that is already obsolete for a while, the only remaining thing being Elliptic Curves. The last ECC patent of concern is this: https://patents.google.com/patent/US6782100 And it expired 2020.
I tend to close this bug as duplicate of bug 531540 to keep history together. In the end, the people who decided that we need to add USE=bindist to that package (Foundation, license team) are the only one who can decide 'this is no longer needed' and nobody else (keep in mind that hobble patch was added just 'recently' in 2017 so there might be additional reasons and quoted note from hobble patch is from Fedora upstream, but does not necessarily reflect the reasons for Gentoo's decision to add USE=bindist for the package a long time ago).
Do we have these mysterious reasons documented anywhere?
I don't know and since CSV is gone I also don't where to start my research at the moment. That's also why I am thinking about merging these bugs and get attention from people involved in previous change.
(In reply to Thomas Deutschmann from comment #4) > I don't know and since CSV is gone I also don't where to start my research > at the moment. The gentoo-x86 CVS repository was converted to git several years ago. https://gitweb.gentoo.org/repo/gentoo/historical.git/ > That's also why I am thinking about merging these bugs and > get attention from people involved in previous change. Maybe ask for feedback on the other bug and give people 30 days to respond.
@ Foundation Trustees: In your meeting from 2017-10-22 as stated in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bdd5c9e7d6a375e99b3ae89afd4517a3a5786df2 you decided to apply changes to dev-libs/openssl package. It was now requested to drop USE=bindist because reasons why this was applied (patents?) no longer exist. Please review, confirm and grant permission to drop USE=bindist to allow base-system to proceed. Thank you.
(In reply to Thomas Deutschmann from comment #6) > @ Foundation Trustees: > > In your meeting from 2017-10-22 as stated in > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=bdd5c9e7d6a375e99b3ae89afd4517a3a5786df2 you decided to apply changes to > dev-libs/openssl package. > > It was now requested to drop USE=bindist because reasons why this was > applied (patents?) no longer exist. > > Please review, confirm and grant permission to drop USE=bindist to allow > base-system to proceed. > > Thank you. Will discuss and get back to you. -A
We are waiting to hear back from Fedora, as we are unlikely to afford our own counsel here we are likely to take similar action as them. -A
Since I notice that Trustees aren't in CC of the other bug, repeating the question of bug 531540 comment #62 here also: Trustees voted in their 2017-10-22 meeting that they are going to talk to Debian: https://projects.gentoo.org/foundation/2017/20171022.log.txt [19:44:34] <prometheanfire> patch 1.1, talk to debian, (try to backport for 1.0 OR work on getting 1.1 stable) [19:44:42] <zlg> yes [19:44:47] <prometheanfire> yes [19:44:56] <dabbott> yes [19:45:14] <kensington> Abstain [19:45:16] <zlg> (side note: where is releng? it'd be nice to hear from them) [19:45:48] <prometheanfire> alicef: ? [19:45:50] <alicef> abstein [19:45:52] <prometheanfire> k [19:45:58] <robbat2> jmbsvicetto has been busy with IRL stuff, so I'm the closest you have to releng here [19:46:03] <robbat2> as the releng-infra liason [19:46:11] <prometheanfire> we have quorum What was the outcome of the "talk to Debian" part?
ping trustees
Fedora's legal department has not responded to the inquiry, and Fedora also continues to ship the "hobbled" OpenSSL (USE=bindist): https://src.fedoraproject.org/rpms/openssl/c/0f5f931f9a64a3fe3221c75ed799914cfd90b0db?branch=rawhide Since they didn't respond to direct inquries, I've also filed this RH ticket: https://bugzilla.redhat.com/show_bug.cgi?id=1976662
(In reply to Robin Johnson from comment #11) > [snip] > Since they didn't respond to direct inquries, I've also filed this RH ticket: > https://bugzilla.redhat.com/show_bug.cgi?id=1976662 Thanks a bunch for filing this! Another note: =dev-libs/openssl-3.0* has lost USE=bindist, but I'm not aware of why. @base-system: could you let us know? Are the algorithms completely gone (this seems strange but possible)?
RedHat has closed the ticket and stated we should email a list instead. The list includes mails as recently as last year that denied EC usage.
(In reply to Robin Johnson from comment #13) > RedHat has closed the ticket and stated we should email a list instead. The > list includes mails as recently as last year that denied EC usage. The linked post seems to be related to the fact that redhat disables support for brainpool curves in a variety of applications. But there's no explanation given why they do that. This does not seem to be related to the issue we're discussing here. It seems to me that some people here are waiting for an answer from redhat, but redhat is not willing to give us one. However I also don't think we need one. These patches were there due to concerns about patents that expired in 2020. They're no longer relevant.
hanno, mgorny: Redhat's Legal says they still have concerns about enabling EC, and that Fedora/RHEL should NOT ship it yet. Their concerns are not limited to Brainpool, but cover further parts of EC as well.
(In reply to Robin Johnson from comment #15) > hanno, mgorny: > Redhat's Legal says they still have concerns about enabling EC, and that > Fedora/RHEL should NOT ship it yet. > > Their concerns are not limited to Brainpool, but cover further parts of EC > as well. Can they share these concerns, or are these just vague statements?
openssl[bindist] has now been removed. news item: https://gitweb.gentoo.org/data/gentoo-news.git/tree/2021-10-17-openssl-bindist-removal/2021-10-17-openssl-bindist-removal.en.txt?id=e91fb8d1fae984eead80975412f3a1029ac099ab
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=91c1a70f4c8d56e56e2445bbd123ed286f8d1444 commit 91c1a70f4c8d56e56e2445bbd123ed286f8d1444 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-09-12 09:14:07 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-03 04:26:20 +0000 net-misc/openssh: Update for openssl/ldns bindist update Bug: https://bugs.gentoo.org/762850 Signed-off-by: Michał Górny <mgorny@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/18894 Signed-off-by: Sam James <sam@gentoo.org> net-misc/openssh/openssh-8.7_p1-r3.ebuild | 503 ++++++++++++++++++++++++++++++ net-misc/openssh/openssh-8.8_p1-r3.ebuild | 503 ++++++++++++++++++++++++++++++ 2 files changed, 1006 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cd50b985a05a1c702e24a876361191fe0f22efc0 commit cd50b985a05a1c702e24a876361191fe0f22efc0 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2021-09-12 09:12:10 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-03 04:26:19 +0000 net-libs/ldns: Update for dev-libs/openssl bindist update Bug: https://bugs.gentoo.org/762850 Signed-off-by: Michał Górny <mgorny@gentoo.org> Signed-off-by: Sam James <sam@gentoo.org> net-libs/ldns/ldns-1.7.1-r6.ebuild | 103 +++++++++++++++++++++ .../{ldns-1.8.0-r1.ebuild => ldns-1.8.0-r2.ebuild} | 9 -- 2 files changed, 103 insertions(+), 9 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f448b05c0c596479972d0fed25847fabd277f26b commit f448b05c0c596479972d0fed25847fabd277f26b Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-03 04:06:43 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-03 04:26:18 +0000 net-wireless/wpa_supplicant: drop OpenSSL bindist kludge Not needed anymore now that (stable) OpenSSL now lacks USE=bindist; see news item for more information. Originally added in fed37693d6442a4ec65e121c80ad2f52b6d93335, the changes were/are just to allow building wpa_supplicant against openssl[bindist] rather than anything shipped within wpa_supplicant that might have patent issues, etc. Bug: https://bugs.gentoo.org/762850 Signed-off-by: Sam James <sam@gentoo.org> ...-2.9-r6.ebuild => wpa_supplicant-2.9-r7.ebuild} | 40 ++++++++---------- .../wpa_supplicant/wpa_supplicant-9999.ebuild | 49 ++++++++++++---------- 2 files changed, 43 insertions(+), 46 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d07f49b07110bd211a32aea3d9656372a31379c0 commit d07f49b07110bd211a32aea3d9656372a31379c0 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-03 04:38:28 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-03 04:38:50 +0000 net-wireless/wpa_supplicant: fix bindist removal I'd gone back and tried to sync live and ended up with a monstrosity. Bug: https://bugs.gentoo.org/762850 Signed-off-by: Sam James <sam@gentoo.org> ...a_supplicant-2.9-r7.ebuild => wpa_supplicant-2.9-r8.ebuild} | 2 +- net-wireless/wpa_supplicant/wpa_supplicant-9999.ebuild | 10 +--------- 2 files changed, 2 insertions(+), 10 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0de4fa6c810cfc668e2dcefd12a940e724bea791 commit 0de4fa6c810cfc668e2dcefd12a940e724bea791 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-03 04:49:42 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-03 04:50:27 +0000 dev-libs/softhsm: adapt for OpenSSL bindist changes OpenSSL no longer has a bindist flag. Bug: https://bugs.gentoo.org/762850 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/softhsm/softhsm-2.6.1-r2.ebuild | 48 ++++++++++++++++++++++++++++++++ 1 file changed, 48 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=cf8b737346f396dff1e0d0c8541b3f1c4fd88583 commit cf8b737346f396dff1e0d0c8541b3f1c4fd88583 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-03 04:48:35 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-03 04:50:26 +0000 dev-libs/pkcs11-helper: adapt for OpenSSL bindist changes OpenSSL no longer has a bindist flag. Bug: https://bugs.gentoo.org/762850 Signed-off-by: Sam James <sam@gentoo.org> .../pkcs11-helper/pkcs11-helper-1.27.0-r1.ebuild | 47 ++++++++++++++++++++++ 1 file changed, 47 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=43c40c442031ddec003f197980a5725a2c685b1f commit 43c40c442031ddec003f197980a5725a2c685b1f Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-03 04:47:32 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-03 04:50:25 +0000 dev-libs/libp11: adapt for OpenSSL bindist changes OpenSSL no longer has a bindist flag. Bug: https://bugs.gentoo.org/762850 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/libp11/libp11-0.4.11-r2.ebuild | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=06fa4c0bc9591084cafe39051681fd34b8741209 commit 06fa4c0bc9591084cafe39051681fd34b8741209 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-03 04:46:44 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-03 04:50:24 +0000 dev-libs/botan: adapt for OpenSSL bindist changes OpenSSL no longer has a bindist flag. Bug: https://bugs.gentoo.org/762850 Signed-off-by: Sam James <sam@gentoo.org> dev-libs/botan/botan-2.18.2-r1.ebuild | 164 ++++++++++++++++++++++++++++++++++ 1 file changed, 164 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b9d4c0b7e53d4aafbdc4b8614d888875486f3772 commit b9d4c0b7e53d4aafbdc4b8614d888875486f3772 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-03 04:45:57 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-03 04:50:23 +0000 sys-apps/ucspi-ssl: adapt for OpenSSL bindist changes OpenSSL no longer has a bindist flag. Bug: https://bugs.gentoo.org/762850 Signed-off-by: Sam James <sam@gentoo.org> sys-apps/ucspi-ssl/ucspi-ssl-0.99e-r2.ebuild | 61 ++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3342af84d7fab35f298c8da001ca7135a7ad2f26 commit 3342af84d7fab35f298c8da001ca7135a7ad2f26 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-03 04:43:48 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-03 04:50:22 +0000 app-crypt/xca: adapt for OpenSSL bindist changes OpenSSL no longer has a bindist flag. Bug: https://bugs.gentoo.org/762850 Signed-off-by: Sam James <sam@gentoo.org> app-crypt/xca/xca-2.4.0-r2.ebuild | 71 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b0df88e1c6cf4ea52ef1516d66ca4f1542a99f12 commit b0df88e1c6cf4ea52ef1516d66ca4f1542a99f12 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-03 04:36:37 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-03 04:55:07 +0000 dev-qt/qtnetwork: drop USE=bindist for OpenSSL changes OpenSSL no longer has USE=bindist. Bug: https://bugs.gentoo.org/762850 Signed-off-by: Sam James <sam@gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/23156 Signed-off-by: Sam James <sam@gentoo.org> .../{qtnetwork-5.15.2-r12.ebuild => qtnetwork-5.15.2-r13.ebuild} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96158bff11f511f6c7d440d239a8897011ef657c commit 96158bff11f511f6c7d440d239a8897011ef657c Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-03 05:12:42 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2021-12-03 05:12:45 +0000 net-libs/gnutls: adapt for OpenSSL bindist changes OpenSSL no longer has a bindist flag. (Test only dependency so no revbump required really.) Bug: https://bugs.gentoo.org/762850 Signed-off-by: Sam James <sam@gentoo.org> net-libs/gnutls/gnutls-3.7.2.ebuild | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/qt.git/commit/?id=d3c7da917da39096761b7dcdf10c43a23bea8a81 commit d3c7da917da39096761b7dcdf10c43a23bea8a81 Author: Sam James <sam@gentoo.org> AuthorDate: 2021-12-03 04:36:37 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2021-12-13 16:34:32 +0000 dev-qt/qtnetwork: drop USE=bindist for OpenSSL changes OpenSSL no longer has USE=bindist. Bug: https://bugs.gentoo.org/762850 Signed-off-by: Sam James <sam@gentoo.org> Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-qt/qtnetwork/qtnetwork-5.15.2.9999.ebuild | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)