For discussion of Alpine Linux development and developer support

7 5

[alpine-devel] openssl-1.0.2 or libressl ?

Timo Teras
Details
Message ID
<20150203192523.247fbf53@vostro>
Sender timestamp
1422984323
DKIM signature
missing
Download raw message
Hi,

openssl-1.0.2 is out. Upgrading to it will probably mean
recompiling most of the packages.

So I'm wondering should we reconsider libressl at this point? Any
thoughts?

Thanks,
Timo


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
systmkor
Details
Message ID
<0A02C80E-3B17-41DE-8822-250D7C0DC2E1@gmail.com>
In-Reply-To
<20150203192523.247fbf53@vostro> (view parent)
Sender timestamp
1422984571
DKIM signature
missing
Download raw message
> So I'm wondering should we reconsider libressl at this point? Any
> thoughts?

My vote is that we stick with openssl for version 1.0.2 but start the process to move to libressl. Even if we don’t move to it officially, it would be nice as an alternative.



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Orion
Details
Message ID
<20150205021034.1db748e3@twinpeaks.my.domain>
In-Reply-To
<20150205103440.3f456d65@vostro> (view parent)
Sender timestamp
1423131034
DKIM signature
missing
Download raw message
On Thu, 5 Feb 2015 10:34:40 +0200
Timo Teras <timo.teras@iki.fi> wrote:

> I'm wondering if I should push this to testing, and let it be there
> for few weeks until updating the package in main.

I did push a LibreSSl package a while ago but I think I put the wrong
name and never got around to fixing it. Go for it.

I would like to note that this is definitely a perfect case were
properties of the nix package manager excels. Since for example one
commonly used program (e.g. nginx) wasn't going to change to work with
OpenSSL for another year. With current style you would either move to
LibreSSL and break a future desire to use nginx. With a nix style you
could just keep nginx using OpenSSL til it can be changed but all other
packages that can use LibreSSL can be upgraded without any full system
issues.

-- 
keybase.io/systmkor


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Timo Teras
Details
Message ID
<20150205103440.3f456d65@vostro>
In-Reply-To
<0A02C80E-3B17-41DE-8822-250D7C0DC2E1@gmail.com> (view parent)
Sender timestamp
1423125280
DKIM signature
missing
Download raw message
On Tue, 3 Feb 2015 09:29:31 -0800
systmkor <systmkor@gmail.com> wrote:

> 
> > So I'm wondering should we reconsider libressl at this point? Any
> > thoughts?
> 
> My vote is that we stick with openssl for version 1.0.2 but start the
> process to move to libressl. Even if we don’t move to it officially,
> it would be nice as an alternative.

Agreed. And I just realized that 1.0.2 is ABI compatible with 1.0.1 and
1.0.0. So no recompiles should be needed.

Find attached the upgrade commit. All patches are rebased, they ran
openssl source code through indent. Also c_rehash is updated to be
smarter.

I'm wondering if I should push this to testing, and let it be there for
few weeks until updating the package in main.

/Timo
Natanael Copa
Details
Message ID
<20150206145315.3d996f20@ncopa-laptop>
In-Reply-To
<20150205103440.3f456d65@vostro> (view parent)
Sender timestamp
1423230795
DKIM signature
missing
Download raw message
On Thu, 5 Feb 2015 10:34:40 +0200
Timo Teras <timo.teras@iki.fi> wrote:

> On Tue, 3 Feb 2015 09:29:31 -0800
> systmkor <systmkor@gmail.com> wrote:
> 
> > 
> > > So I'm wondering should we reconsider libressl at this point? Any
> > > thoughts?
> > 
> > My vote is that we stick with openssl for version 1.0.2 but start the
> > process to move to libressl. Even if we don’t move to it officially,
> > it would be nice as an alternative.
> 
> Agreed. And I just realized that 1.0.2 is ABI compatible with 1.0.1 and
> 1.0.0. So no recompiles should be needed.
> 
> Find attached the upgrade commit. All patches are rebased, they ran
> openssl source code through indent. Also c_rehash is updated to be
> smarter.
> 
> I'm wondering if I should push this to testing, and let it be there for
> few weeks until updating the package in main.

We normally don't do that when ABI is compatible. I think you can push
it to main if you first do basic testing, eg verify that apk does not
completely breaks, test s_client against some server and test some
application like curl or equvalent that https is not totally broken.

Move it to testing first if you think there are some reason to
believe that it might break things or if you know that you will not be
able to quickly fix any potential breakages.

-nc

> 
> /Timo



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Natanael Copa
Details
Message ID
<20150206150058.7e3d2e9b@ncopa-laptop>
In-Reply-To
<20150203192523.247fbf53@vostro> (view parent)
Sender timestamp
1423231258
DKIM signature
missing
Download raw message
On Tue, 3 Feb 2015 19:25:23 +0200
Timo Teras <timo.teras@iki.fi> wrote:

> Hi,
> 
> openssl-1.0.2 is out. Upgrading to it will probably mean
> recompiling most of the packages.
> 
> So I'm wondering should we reconsider libressl at this point? Any
> thoughts?

I don't want Alpine to jump on every new hype that appears in media.
libressl is still young so I think it would be wait a bit more to see if
it is something that will stay.

I think it would be nice to have libressl in testing though so we have
something to compare with.

Thanks.

-nc




> 
> Thanks,
> Timo
> 
> 
> ---
> Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
> Help:         alpine-devel+help@lists.alpinelinux.org
> ---
> 



---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Orion
Details
Message ID
<20150206170613.2b9645ee@twinpeaks.my.domain>
In-Reply-To
<20150206150058.7e3d2e9b@ncopa-laptop> (view parent)
Sender timestamp
1423271173
DKIM signature
missing
Download raw message
On Fri, 6 Feb 2015 15:00:58 +0100
Natanael Copa <ncopa@alpinelinux.org> wrote:

> I don't want Alpine to jump on every new hype that appears in media.

I fully agree. I should have conveyed that I always want to us to vet to
the best of our ability changes to Alpine (e.g. code, libraries,
packages, design, etc.).


> libressl is still young so I think it would be wait a bit more to see
> if it is something that will stay.

LibreSSL is young as a project but, as I understand it, it isn't a
rewrite of OpenSSL from scratch. At the moment it is much more an
audited & patched version of OpenSSl than a 'new SSL' library. They
started by just hacking out as much outdated, useless, and crappy code
as they could. Then replacing terrible code with good audited code.


> I think it would be nice to have libressl in testing though so we have
> something to compare with.

I agree that it should be in testing and vetted before any actual
changes are made to the mainline. However I think this would be a
time for us to create a repo to house automated tests for aports,
starting with LibreSSL.

-- 
keybase.io/systmkor


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---
Daniel Cegiełka
Details
Message ID
<CAPLrYERnKKeSDz+opLxda_wdjJ2c9Kh=+p5ug+OfussFCg10zA@mail.gmail.com>
In-Reply-To
<20150206170613.2b9645ee@twinpeaks.my.domain> (view parent)
Sender timestamp
1423994185
DKIM signature
missing
Download raw message
Take into account that people from OpenBSD are promoting libtls
instead raw openssl headers. If tomorrow you want to use eg the new
version OpenNTPD, then you will have to use LibreSSL or at least
libtls.

http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ntpd/Makefile?rev=1.13&content-type=text/x-cvsweb-markup
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ntpd/constraint.c?rev=1.1&content-type=text/x-cvsweb-markup

http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man3/tls_accept_socket.3?query=tls_init&sec=3

Daniel


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---