Date: Thu, 25 Oct 2018 10:44:50 +0200
From: Natanael Copa <ncopa@alpinelinux.org>
To: William Pitcock <nenolod@dereferenced.org>
Cc: alpine-dev <alpine-devel@lists.alpinelinux.org>
Subject: Re: [alpine-devel] Re: openssl 1.1 support
Message-ID: <20181025104450.23747f0a@ncopa-desktop.copa.dup.pw>
In-Reply-To: <20181025103550.18d4cc2c@ncopa-desktop.copa.dup.pw>
References: <20181024171950.2343fefd@ncopa-desktop.copa.dup.pw>
	<CA+T2pCFRThvr1KgRP7cwEr6fVAOWd8Q=S6MaOYrmJRRoJKpOhQ@mail.gmail.com>
	<20181025103550.18d4cc2c@ncopa-desktop.copa.dup.pw>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Thu, 25 Oct 2018 10:35:50 +0200
Natanael Copa <ncopa@alpinelinux.org> wrote:

> On Wed, 24 Oct 2018 18:47:51 -0500
> William Pitcock <nenolod@dereferenced.org> wrote:
> 
> ...
> 
> > > There are also some patches that fedora uses that we may want. Some of
> > > fedoras patches are for multilib and FIPS support, which I don't think
> > > we care about (yet), but there are some that replaces getenv() with
> > > secure_getenv().    
> > 
> > I do not think musl have secure_getenv(3) yet.  
> 
> We don't but its relatively easy to implement same functionality:
> 
> inline *char secure_getenv(const char *name) {
> 	return getauxval(AT_SECURE) ? NULL : getenv(name);
> }
> 
> I think it may be good that we do that so that nobody gets a nasty
> surprise if a suid binary is linked to openssl.

It seems that they have applied something to solve that upstream:

https://github.com/openssl/openssl/commit/79c2c741303ed188214b9299a51c837635f7e9a8

I guess we can backport that.

-nc


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---