Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 762850 - dev-libs/openssl: revisit USE=bindist (again)
Summary: dev-libs/openssl: revisit USE=bindist (again)
Status: IN_PROGRESS
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo Board of Trustees
URL:
Whiteboard:
Keywords: PullRequest
Depends on:
Blocks:
 
Reported: 2020-12-31 23:45 UTC by Michał Górny
Modified: 2021-09-16 07:04 UTC (History)
8 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2020-12-31 23:45:56 UTC
See https://archives.gentoo.org/gentoo-dev/message/2bb16c9fcc53a995936ff9bb73e624ed


Let's update things if possible (can we maybe remove USE=bindist altogether?) before we start suggesting transition from LibreSSL.
Comment 1 Hanno Böck gentoo-dev 2021-01-01 08:04:23 UTC
I'm pretty sure we can remove bindist here.

Looking at what it does it calls the hobble-openssl script, which is supposed to remove various patented features. From the comment:

# Clean out patent-or-otherwise-encumbered code.
# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway
# IDEA:  5,214,703 07/01/2012 - expired, we do not remove it anymore
# RC5:   5,724,428 01/11/2015 - expired, we do not remove it anymore
# EC:    ????????? ??/??/2020
# SRP:   ????????? ??/??/2017 - expired, we do not remove it anymore

So most of that is already obsolete for a while, the only remaining thing being Elliptic Curves.

The last ECC patent of concern is this:
https://patents.google.com/patent/US6782100

And it expired 2020.
Comment 2 Thomas Deutschmann gentoo-dev Security 2021-01-01 15:41:39 UTC
I tend to close this bug as duplicate of bug 531540 to keep history together.

In the end, the people who decided that we need to add USE=bindist to that package (Foundation, license team) are the only one who can decide 'this is no longer needed' and nobody else (keep in mind that hobble patch was added just 'recently' in 2017 so there might be additional reasons and quoted note from hobble patch is from Fedora upstream, but does not necessarily reflect the reasons for Gentoo's decision to add USE=bindist for the package a long time ago).
Comment 3 Mike Gilbert gentoo-dev 2021-01-01 16:14:31 UTC
Do we have these mysterious reasons documented anywhere?
Comment 4 Thomas Deutschmann gentoo-dev Security 2021-01-01 18:33:00 UTC
I don't know and since CSV is gone I also don't where to start my research at the moment. That's also why I am thinking about merging these bugs and get attention from people involved in previous change.
Comment 5 Mike Gilbert gentoo-dev 2021-01-01 20:30:06 UTC
(In reply to Thomas Deutschmann from comment #4)
> I don't know and since CSV is gone I also don't where to start my research
> at the moment.

The gentoo-x86 CVS repository was converted to git several years ago.

https://gitweb.gentoo.org/repo/gentoo/historical.git/

> That's also why I am thinking about merging these bugs and
> get attention from people involved in previous change.

Maybe ask for feedback on the other bug and give people 30 days to respond.
Comment 6 Thomas Deutschmann gentoo-dev Security 2021-01-10 00:22:54 UTC
@ Foundation Trustees:

In your meeting from 2017-10-22 as stated in https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bdd5c9e7d6a375e99b3ae89afd4517a3a5786df2 you decided to apply changes to dev-libs/openssl package.

It was now requested to drop USE=bindist because reasons why this was applied (patents?) no longer exist.

Please review, confirm and grant permission to drop USE=bindist to allow base-system to proceed.

Thank you.
Comment 7 Alec Warner archtester Gentoo Infrastructure gentoo-dev Security 2021-01-10 01:38:48 UTC
(In reply to Thomas Deutschmann from comment #6)
> @ Foundation Trustees:
> 
> In your meeting from 2017-10-22 as stated in
> https://gitweb.gentoo.org/repo/gentoo.git/commit/
> ?id=bdd5c9e7d6a375e99b3ae89afd4517a3a5786df2 you decided to apply changes to
> dev-libs/openssl package.
> 
> It was now requested to drop USE=bindist because reasons why this was
> applied (patents?) no longer exist.
> 
> Please review, confirm and grant permission to drop USE=bindist to allow
> base-system to proceed.
> 
> Thank you.

Will discuss and get back to you.

-A
Comment 8 Alec Warner archtester Gentoo Infrastructure gentoo-dev Security 2021-01-22 23:37:30 UTC
We are waiting to hear back from Fedora, as we are unlikely to afford our own counsel here we are likely to take similar action as them.

-A
Comment 9 Ulrich Müller gentoo-dev 2021-01-23 12:52:11 UTC
Since I notice that Trustees aren't in CC of the other bug, repeating the question of bug 531540 comment #62 here also:

Trustees voted in their 2017-10-22 meeting that they are going to talk to Debian:
https://projects.gentoo.org/foundation/2017/20171022.log.txt

[19:44:34] <prometheanfire> patch 1.1, talk to debian, (try to backport for 1.0 OR work on getting 1.1 stable)
[19:44:42] <zlg> yes
[19:44:47] <prometheanfire> yes
[19:44:56] <dabbott> yes
[19:45:14] <kensington> Abstain 
[19:45:16] <zlg> (side note: where is releng? it'd be nice to hear from them)
[19:45:48] <prometheanfire> alicef: ?
[19:45:50] <alicef> abstein
[19:45:52] <prometheanfire> k
[19:45:58] <robbat2> jmbsvicetto has been busy with IRL stuff, so I'm the closest you have to releng here
[19:46:03] <robbat2> as the releng-infra liason
[19:46:11] <prometheanfire> we have quorum

What was the outcome of the "talk to Debian" part?
Comment 10 Sam James archtester gentoo-dev Security 2021-06-16 19:20:05 UTC
ping trustees
Comment 11 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2021-06-27 22:28:01 UTC
Fedora's legal department has not responded to the inquiry, and Fedora also continues to ship the "hobbled" OpenSSL (USE=bindist):
https://src.fedoraproject.org/rpms/openssl/c/0f5f931f9a64a3fe3221c75ed799914cfd90b0db?branch=rawhide

Since they didn't respond to direct inquries, I've also filed this RH ticket:
https://bugzilla.redhat.com/show_bug.cgi?id=1976662
Comment 12 Sam James archtester gentoo-dev Security 2021-06-28 01:15:51 UTC
(In reply to Robin Johnson from comment #11)
> [snip]
> Since they didn't respond to direct inquries, I've also filed this RH ticket:
> https://bugzilla.redhat.com/show_bug.cgi?id=1976662

Thanks a bunch for filing this!

Another note: =dev-libs/openssl-3.0* has lost USE=bindist, but I'm not aware of why.

@base-system: could you let us know? Are the algorithms completely gone (this seems strange but possible)?
Comment 13 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2021-07-07 04:36:35 UTC
RedHat has closed the ticket and stated we should email a list instead. The list includes mails as recently as last year that denied EC usage.
Comment 14 Hanno Böck gentoo-dev 2021-09-11 13:56:51 UTC
(In reply to Robin Johnson from comment #13)
> RedHat has closed the ticket and stated we should email a list instead. The
> list includes mails as recently as last year that denied EC usage.

The linked post seems to be related to the fact that redhat disables support for brainpool curves in a variety of applications. But there's no explanation given why they do that. This does not seem to be related to the issue we're discussing here.

It seems to me that some people here are waiting for an answer from redhat, but redhat is not willing to give us one.

However I also don't think we need one. These patches were there due to concerns about patents that expired in 2020. They're no longer relevant.
Comment 15 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2021-09-16 03:22:39 UTC
hanno, mgorny:
Redhat's Legal says they still have concerns about enabling EC, and that Fedora/RHEL should NOT ship it yet.

Their concerns are not limited to Brainpool, but cover further parts of EC as well.
Comment 16 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2021-09-16 07:04:24 UTC
(In reply to Robin Johnson from comment #15)
> hanno, mgorny:
> Redhat's Legal says they still have concerns about enabling EC, and that
> Fedora/RHEL should NOT ship it yet.
> 
> Their concerns are not limited to Brainpool, but cover further parts of EC
> as well.

Can they share these concerns, or are these just vague statements?