X-Original-To: alpine-devel@lists.alpinelinux.org
Received: from mail-lj1-f175.google.com (mail-lj1-f175.google.com [209.85.208.175])
	by lists.alpinelinux.org (Postfix) with ESMTP id C39FF5C5857
	for <alpine-devel@lists.alpinelinux.org>; Wed, 24 Oct 2018 17:38:18 +0000 (GMT)
Received: by mail-lj1-f175.google.com with SMTP id k11-v6so5567208lja.5
        for <alpine-devel@lists.alpinelinux.org>; Wed, 24 Oct 2018 10:38:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to
         :references:mime-version:content-transfer-encoding;
        bh=01Klr5BFnG16e11lM9ID4rcFEDYKgQyap3H1ufqHaRo=;
        b=e3R+1EHQV3czs+XPl5goQVBqxe7k4GzYlEXPDDUU8lXDFFnHrS1/COj4LPUPnZveRo
         5VY1mF9WXpcfpis2RTlX0T5QnGQSBiCVWIvzTn8B7n6KpIV7fQKapPJWziGKTi+o704w
         r80I+oRsT3TXCVJ8W3MDW98n3w0oFW9bqEt48uFuH8k8K6PCwmN5Iw/Di5T+HmRDWF7O
         WRkuq/rp1cnceVYkDaezI07rYBCv1FITvMtfcxMwu0Mc2VuIlSNx6g9p7q3JNHPJnLUi
         9WWBogw5b09KCMpS7G4HwS4VUieXrD01yCwLff3kt/qSy+Wn3EVK+yol7Wr2VKit2Lbm
         gH0w==
X-Gm-Message-State: AGRZ1gIiND30aMZF2vd1bhg4X38HiHewpgwvHghqd/kTkpLGRUc0LyB8
	CTd9pJzlpqUjQezFqrq8BVc=
X-Google-Smtp-Source: AJdET5c9jW3qc/aNd5p0H8rpDJqnMTwULtB6ZBk5cEesiyfk5pDQMAOKGZsN0BhPfBUW/Vyg1jbW8w==
X-Received: by 2002:a2e:458b:: with SMTP id s133-v6mr2583790lja.60.1540402697673;
        Wed, 24 Oct 2018 10:38:17 -0700 (PDT)
Received: from vostro ([83.145.235.201])
        by smtp.gmail.com with ESMTPSA id q124-v6sm731844ljb.89.2018.10.24.10.38.15
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Wed, 24 Oct 2018 10:38:17 -0700 (PDT)
Date: Wed, 24 Oct 2018 20:38:10 +0300
From: Timo Teras <timo.teras@iki.fi>
To: Natanael Copa <ncopa@alpinelinux.org>
Cc: William Pitcock <nenolod@dereferenced.org>, Alpine Development
 <alpine-devel@lists.alpinelinux.org>
Subject: [alpine-devel] Re: openssl 1.1 support
Message-ID: <20181024203810.3970da20@vostro>
In-Reply-To: <20181024171950.2343fefd@ncopa-desktop.copa.dup.pw>
References: <20181024171950.2343fefd@ncopa-desktop.copa.dup.pw>
X-Mailer: Claws Mail 3.17.1 (GTK+ 2.24.32; x86_64-alpine-linux-musl)
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Wed, 24 Oct 2018 17:19:50 +0200
Natanael Copa <ncopa@alpinelinux.org> wrote:

> I didn't remember that I already had done testing/openssl1.1 so I
> re-did the work as testing/openssl. I think I'm losing it... :-/
> 
> The plan is now to merge main/openssl1.0, testing/openssl1.1 and
> testing/openssl into a single main/openssl, rebuild all packages that
> currently is linked to libssl against openssl, and finally move
> main/libressl to community/libressl.

Thanks. Sounds like a plan.

> I have currently disabled weak crypto in openssl configure, I am not
> sure we need any of those, so I would appreciate some feedback there.
> I have also built it with no-async for now, but I think we may need
> enable it for nodejs.

Ok. no-async should work with libucontext. Need to figure out how to
ship libucontext - as per-package dependency+extra LIBS flag; or
somehow sneak it in to libc-dev?

> Timo, Do you think you can help with add support for openssl 1.1 to
> apk-tools? Can you also look over the patch list[1] and see if there
> are some of those patches that we need? I suspect we need
> 0004-fix-default-ca-path-for-apps.patch[2], but it would be nice if
> you can confirm that.

Ok. Yes, they made some structs hidden, so need to go through the code
to allocate those dynamically. I'll work on this. Not sure if I get it
done this week - I'll try, but it may be early next week at worst case
when I get to this.

I'll look at the patches too. From top of my head, I think we don't
need 100[1-4], they target VIA Padlock. I used to do them for specific
need, but I don't need them anymore.

0003-use-termios.patch is not needed if it builds.

0004 we may need. To double check.

0009 we may need, it can be verified by checking rpath of
libraries/openssl binary with readelf. Though, they seemed to revamped
the build system so this needs to be checked.

0010-ssl-env-zlib.patch seems to be fixed upstream, by disabling
compression explicitly. You need explicit openssl api call now to
enable ssl/tsl compression. Not worth adding our environment var there
to not add surprises to user.

> There are also some patches that fedora uses that we may want. Some of
> fedoras patches are for multilib and FIPS support, which I don't think
> we care about (yet), but there are some that replaces getenv() with
> secure_getenv(). I think we may want do something similar. It would be
> nice if you can help me look over their patches[3] and let me know
> which ones of them you think we should take.
> 
> Timo, do you want continue be listed as the maintainer for openssl? I
> will still help with the full "world" rebuild against openssl 1.1.

I can help with the work. I have been updating it and reviewing update
patches occasionally. But seems others have made it before me on
several times. I've been recently working on few other things.

Thanks for this effort and making things go forward!
Timo


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---