GNU bug report logs

#46602 Removing OpenSSL 1.0

PackageSource(s)Maintainer(s)
guix PTS Buildd Popcon
Reply or subscribe to this bug. View this bug as an mbox, status mbox, or maintainer mbox

Report forwarded to bug-guix@gnu.org:
bug#46602; Package guix. (Wed, 17 Feb 2021 21:27:01 GMT) (full text, mbox, link).


Acknowledgement sent to Leo Famulari <leo@famulari.name>:
New bug report received and forwarded. Copy sent to bug-guix@gnu.org. (Wed, 17 Feb 2021 21:27:01 GMT) (full text, mbox, link).


Message #5 received at submit@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>
To: bug-guix@gnu.org
Subject: Removing OpenSSL 1.0
Date: Wed, 17 Feb 2021 16:26:36 -0500
OpenSSL 1.0 is no longer supported as free software. As research
continues, new bugs are discovered and there are no fixes available.

We should remove it soon. Since Qt 4 depends on it, we can remove them
at the same time [0].

Some packages will probably have to be removed, since they depend on
OpenSSL 1.0 and have not been updated to use more recent versions.

OpenSSL 1.0 is used in the Rust bootstrap, unfortunately, so we will
have to preserve some package of it, but it will be hidden.

Any thoughts?

[0] https://bugs.gnu.org/45704




Added tag(s) security. Request was from Ludovic Courtès <ludo@gnu.org> to control@debbugs.gnu.org. (Mon, 22 Feb 2021 09:16:03 GMT) (full text, mbox, link).


Information forwarded to bug-guix@gnu.org:
bug#46602; Package guix. (Thu, 25 Feb 2021 19:02:02 GMT) (full text, mbox, link).


Message #10 received at 46602@debbugs.gnu.org (full text, mbox, reply):

From: zimoun <zimon.toutoune@gmail.com>
To: Leo Famulari <leo@famulari.name>
Cc: 46602@debbugs.gnu.org
Subject: Re: bug#46602: Removing OpenSSL 1.0
Date: Thu, 25 Feb 2021 20:01:22 +0100
Hi Leo,

On Wed, 17 Feb 2021 at 22:43, Leo Famulari <leo@famulari.name> wrote:
>
> OpenSSL 1.0 is no longer supported as free software. As research
> continues, new bugs are discovered and there are no fixes available.
>
> We should remove it soon. Since Qt 4 depends on it, we can remove them
> at the same time [0].
>
> Some packages will probably have to be removed, since they depend on
> OpenSSL 1.0 and have not been updated to use more recent versions.
>
> OpenSSL 1.0 is used in the Rust bootstrap, unfortunately, so we will
> have to preserve some package of it, but it will be hidden.

Well, it needs some care I guess.

$ guix refresh -l openssl@1.0
Building the following 1930 packages would ensure 2048 dependent
packages are rebuilt

On the other hand, grepping for "openssl-1.0" returns:

16 matches
12 files contained matches
1522 files searched

File: distributed.scm
File: networking.scm
File: databases.scm
File: rust.scm
File: web-browsers.scm
File: android.scm
File: web.scm
File: crypto.scm
File: messaging.scm
File: ntp.scm
File: crates-io.scm
File: qt.scm

Therefore, a good start seems to try to build all the 16 packages
depending on openssl@1.0 with openssl@1.1.  And mark them with a
comment if they fail.  But I guess that openssl@1.0 is a strong
requirement for these 16 packages.

For instance, the package psyclpc (gnu packages messaging) could be
removed since it does not build and use openssl@1.0.

Cheers,
simon




Information forwarded to bug-guix@gnu.org:
bug#46602; Package guix. (Tue, 13 Jul 2021 16:55:01 GMT) (full text, mbox, link).


Message #13 received at 46602@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>
To: zimoun <zimon.toutoune@gmail.com>
Cc: 46602@debbugs.gnu.org
Subject: Re: bug#46602: Removing OpenSSL 1.0
Date: Tue, 13 Jul 2021 12:54:03 -0400
Here are my notes on the users of the openssl-1.0 package:

> File: networking.scm

pidentd:
Does not build with current OpenSSL, no newer releases or development
No dependents

vde2:
Does not build with current OpenSSL.
Dependency changed to WolfSSL (unpackaged):
https://github.com/virtualsquare/vde-2/issues/2
Depended on by QEMU but not qemu-minimal (optional):

> File: web.scm

cadaver:
Does not build with current OpenSSL
Last release in 2009
No dependents

> File: web-browsers.scm

dillo:
Does not build with current OpenSSL
Status? https://www.dillo.org/Plans.html
No dependents

> File: android.scm

adb:
Does not build with current OpenSSL
Surely there is a new version of adb that supports the current OpenSSL.
Depended on by fastboot

> File: crypto.scm

eschalot:
Does not build with current OpenSSL, no newer releases or development
No dependents

> File: messaging.scm

psyclpc:
Does not build with current OpenSSL
No dependents

> File: ntp.scm

tlsdate:
Does not build with current OpenSSL. Forked by ChromiumOS as the project
is abandoned:
https://github.com/ioerror/tlsdate/issues/199
No dependents

> File: rust.scm
> File: crates-io.scm

For the Rust bootstrap, we can keep openssl-1.0 as a hidden-package.
Help wanted dealing with the crates that depend on openssl-1.0.




Added blocking bug(s) 49556 Request was from Leo Famulari <leo@famulari.name> to control@debbugs.gnu.org. (Tue, 13 Jul 2021 23:02:01 GMT) (full text, mbox, link).


Information forwarded to bug-guix@gnu.org:
bug#46602; Package guix. (Tue, 13 Jul 2021 23:05:01 GMT) (full text, mbox, link).


Message #18 received at 46602@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>
To: zimoun <zimon.toutoune@gmail.com>
Cc: 46602@debbugs.gnu.org
Subject: Re: bug#46602: Removing OpenSSL 1.0
Date: Tue, 13 Jul 2021 19:03:54 -0400
On Tue, Jul 13, 2021 at 12:54:03PM -0400, Leo Famulari wrote:
> vde2:
> Does not build with current OpenSSL.
> Dependency changed to WolfSSL (unpackaged):
> https://github.com/virtualsquare/vde-2/issues/2
> Depended on by QEMU but not qemu-minimal (optional):

This is addressed by <https://bugs.gnu.org/49556>.




Information forwarded to bug-guix@gnu.org:
bug#46602; Package guix. (Tue, 20 Jul 2021 18:57:02 GMT) (full text, mbox, link).


Message #21 received at 46602@debbugs.gnu.org (full text, mbox, reply):

From: Efraim Flashner <efraim@flashner.co.il>
To: Leo Famulari <leo@famulari.name>
Cc: 46602@debbugs.gnu.org, zimoun <zimon.toutoune@gmail.com>
Subject: Re: bug#46602: Removing OpenSSL 1.0
Date: Tue, 20 Jul 2021 21:55:45 +0300
[Message part 1 (text/plain, inline)]
On Tue, Jul 13, 2021 at 12:54:03PM -0400, Leo Famulari wrote:
> Here are my notes on the users of the openssl-1.0 package:
> 
> > File: web-browsers.scm
> 
> dillo:
> Does not build with current OpenSSL
> Status? https://www.dillo.org/Plans.html
> No dependents

This one confuses me. I was able to build dillo with both openssl and
openssl-1.0, but I was unable to open that page with either version.

> > File: rust.scm
> > File: crates-io.scm
> 
> For the Rust bootstrap, we can keep openssl-1.0 as a hidden-package.
> Help wanted dealing with the crates that depend on openssl-1.0.
> 

I can poke those I guess, see what we can drop openssl-1.0 as an input
for and see if anything breaks.

-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#46602; Package guix. (Tue, 20 Jul 2021 19:09:01 GMT) (full text, mbox, link).


Message #24 received at 46602@debbugs.gnu.org (full text, mbox, reply):

From: Efraim Flashner <efraim@flashner.co.il>
To: Leo Famulari <leo@famulari.name>, zimoun <zimon.toutoune@gmail.com>, 46602@debbugs.gnu.org
Subject: Re: bug#46602: Removing OpenSSL 1.0
Date: Tue, 20 Jul 2021 22:06:59 +0300
[Message part 1 (text/plain, inline)]
On Tue, Jul 20, 2021 at 09:55:45PM +0300, Efraim Flashner wrote:
> On Tue, Jul 13, 2021 at 12:54:03PM -0400, Leo Famulari wrote:
> > Here are my notes on the users of the openssl-1.0 package:
> 
> > > File: rust.scm
> > > File: crates-io.scm
> > 
> > For the Rust bootstrap, we can keep openssl-1.0 as a hidden-package.
> > Help wanted dealing with the crates that depend on openssl-1.0.
> > 
> 
> I can poke those I guess, see what we can drop openssl-1.0 as an input
> for and see if anything breaks.

They were only needed for the rust-sha1@0.2 test suite, so easy to
remove and nothing broke.


-- 
Efraim Flashner   <efraim@flashner.co.il>   אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#46602; Package guix. (Wed, 04 Aug 2021 01:05:02 GMT) (full text, mbox, link).


Message #27 received at 46602@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>
To: Efraim Flashner <efraim@flashner.co.il>, zimoun <zimon.toutoune@gmail.com>, 46602@debbugs.gnu.org
Subject: Re: bug#46602: Removing OpenSSL 1.0
Date: Tue, 3 Aug 2021 21:04:26 -0400
On Tue, Jul 20, 2021 at 09:55:45PM +0300, Efraim Flashner wrote:
> On Tue, Jul 13, 2021 at 12:54:03PM -0400, Leo Famulari wrote:
> > dillo:
> > Does not build with current OpenSSL
> > Status? https://www.dillo.org/Plans.html
> > No dependents
> 
> This one confuses me. I was able to build dillo with both openssl and
> openssl-1.0, but I was unable to open that page with either version.

I built Dillo with OpenSSL 1.1 and saw this in the output of the
'configure' phase:

------
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking for SSL_library_init in -lssl... no
configure: WARNING: *** No libssl found. Disabling ssl support.***
------

So, it builds but lacks TLS / HTTPS support.

I think we should either remove OpenSSL as a dependency of Dillo, or
remove Dillo altogether. It's a simple package definition and Dillo
users can use it in a private channel, or maybe it could be added to
guix-past.




Information forwarded to bug-guix@gnu.org:
bug#46602; Package guix. (Wed, 04 Aug 2021 01:11:01 GMT) (full text, mbox, link).


Message #30 received at 46602@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>
To: Efraim Flashner <efraim@flashner.co.il>, zimoun <zimon.toutoune@gmail.com>, 46602@debbugs.gnu.org
Subject: Re: bug#46602: Removing OpenSSL 1.0
Date: Tue, 3 Aug 2021 21:10:12 -0400
On Tue, Aug 03, 2021 at 09:04:26PM -0400, Leo Famulari wrote:
> I think we should either remove OpenSSL as a dependency of Dillo, or
> remove Dillo altogether. It's a simple package definition and Dillo
> users can use it in a private channel, or maybe it could be added to
> guix-past.

I sent a patch to remove Dillo:

<https://bugs.gnu.org/49859>




Information forwarded to bug-guix@gnu.org:
bug#46602; Package guix. (Wed, 04 Aug 2021 01:29:01 GMT) (full text, mbox, link).


Message #33 received at 46602@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>
To: Efraim Flashner <efraim@flashner.co.il>, zimoun <zimon.toutoune@gmail.com>, 46602@debbugs.gnu.org
Subject: Re: bug#46602: Removing OpenSSL 1.0
Date: Tue, 3 Aug 2021 21:27:43 -0400
On Tue, Aug 03, 2021 at 09:10:12PM -0400, Leo Famulari wrote:
> I sent a patch to remove Dillo:
> 
> <https://bugs.gnu.org/49859>

Actually, I went ahead and sent some followup patches to remove
everything else, too. Except for VDE-2, which there is a patch for.




Added blocking bug(s) 49859 Request was from Leo Famulari <leo@famulari.name> to control@debbugs.gnu.org. (Wed, 11 Aug 2021 17:59:02 GMT) (full text, mbox, link).


Added blocking bug(s) 50029 Request was from "Leo Famulari" <leo@famulari.name> to control@debbugs.gnu.org. (Sun, 15 Aug 2021 17:44:01 GMT) (full text, mbox, link).


Reply sent to Leo Famulari <leo@famulari.name>:
You have taken responsibility. (Sun, 15 Aug 2021 22:13:01 GMT) (full text, mbox, link).


Notification sent to Leo Famulari <leo@famulari.name>:
bug acknowledged by developer. (Sun, 15 Aug 2021 22:13:01 GMT) (full text, mbox, link).


Message #42 received at 46602-done@debbugs.gnu.org (full text, mbox, reply):

From: Leo Famulari <leo@famulari.name>
To: Efraim Flashner <efraim@flashner.co.il>, zimoun <zimon.toutoune@gmail.com>, 46602-done@debbugs.gnu.org
Subject: Re: bug#46602: Removing OpenSSL 1.0
Date: Sun, 15 Aug 2021 18:12:15 -0400
With commit 12099eac1b161d364be923451d27d7d739d0f14d, nothing is using
openssl-1.0 except for the Rust bootstrap.

If I understand correctly, the plan is to "upgrade" that bootstrap path,
and eventually we won't need a package of openssl-1.0 at all.

I'm marking this bug as done.




Information forwarded to bug-guix@gnu.org:
bug#46602; Package guix. (Tue, 31 Aug 2021 09:47:01 GMT) (full text, mbox, link).


Message #45 received at 46602-done@debbugs.gnu.org (full text, mbox, reply):

From: zimoun <zimon.toutoune@gmail.com>
To: Leo Famulari <leo@famulari.name>, Efraim Flashner <efraim@flashner.co.il>, 46602-done@debbugs.gnu.org
Subject: Re: bug#46602: Removing OpenSSL 1.0
Date: Tue, 31 Aug 2021 11:27:45 +0200
Hi Leo,

On Sun, 15 Aug 2021 at 18:12, Leo Famulari <leo@famulari.name> wrote:
> With commit 12099eac1b161d364be923451d27d7d739d0f14d, nothing is using
> openssl-1.0 except for the Rust bootstrap.
>
> If I understand correctly, the plan is to "upgrade" that bootstrap path,
> and eventually we won't need a package of openssl-1.0 at all.
>
> I'm marking this bug as done.

Cool!  Thanks for the work.

On a side sad note, I point that 168 packages not named ’rust’ depends
somehow on ’rust’.

        $ guix refresh -l -e '(@@ (gnu packages tls) openssl-1.0)' \
               | sed 's/ /\n/g' | grep '@' \
               | grep -v rust | wc -l
        168

And I am surprised that ’mplayer’ or ’guile-gnunet’ appears there.
Well, I am also surprised that “guix graph” does not report it.

--8<---------------cut here---------------start------------->8---
$ guix graph --path guile-gnunet -e '(@@ (gnu packages tls) openssl-1.0)'
guix graph: erreur : pas de chemin de « guile-gnunet@0.0-1.d12167a » à « openssl@1.0.2u »
--8<---------------cut here---------------end--------------->8---

Maybe I miss something somewhere.

Cheers,
simon




Information forwarded to bug-guix@gnu.org:
bug#46602; Package guix. (Tue, 31 Aug 2021 10:01:01 GMT) (full text, mbox, link).


Message #48 received at 46602-done@debbugs.gnu.org (full text, mbox, reply):

From: Efraim Flashner <efraim@flashner.co.il>
To: zimoun <zimon.toutoune@gmail.com>
Cc: 46602-done@debbugs.gnu.org, Leo Famulari <leo@famulari.name>
Subject: Re: bug#46602: Removing OpenSSL 1.0
Date: Tue, 31 Aug 2021 12:57:37 +0300
[Message part 1 (text/plain, inline)]
On Tue, Aug 31, 2021 at 11:27:45AM +0200, zimoun wrote:
> Hi Leo,
> 
> On Sun, 15 Aug 2021 at 18:12, Leo Famulari <leo@famulari.name> wrote:
> > With commit 12099eac1b161d364be923451d27d7d739d0f14d, nothing is using
> > openssl-1.0 except for the Rust bootstrap.
> >
> > If I understand correctly, the plan is to "upgrade" that bootstrap path,
> > and eventually we won't need a package of openssl-1.0 at all.
> >
> > I'm marking this bug as done.
> 
> Cool!  Thanks for the work.
> 
> On a side sad note, I point that 168 packages not named ’rust’ depends
> somehow on ’rust’.
> 
>         $ guix refresh -l -e '(@@ (gnu packages tls) openssl-1.0)' \
>                | sed 's/ /\n/g' | grep '@' \
>                | grep -v rust | wc -l
>         168
> 
> And I am surprised that ’mplayer’ or ’guile-gnunet’ appears there.
> Well, I am also surprised that “guix graph” does not report it.
> 
> --8<---------------cut here---------------start------------->8---
> $ guix graph --path guile-gnunet -e '(@@ (gnu packages tls) openssl-1.0)'
> guix graph: erreur : pas de chemin de « guile-gnunet@0.0-1.d12167a » à « openssl@1.0.2u »
> --8<---------------cut here---------------end--------------->8---
> 
> Maybe I miss something somewhere.
> 

`git grep \,openssl-1.0' only shows one entry.

The others probably come through ffmpeg (through rav1e) or rust-cbindgen
or otherwise actually depend on some other compiled rust library. Not
sure where gnunet comes from though.

-- 
Efraim Flashner   <efraim@flashner.co.il>   רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D  14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[signature.asc (application/pgp-signature, inline)]

Information forwarded to bug-guix@gnu.org:
bug#46602; Package guix. (Tue, 31 Aug 2021 10:48:02 GMT) (full text, mbox, link).


Message #51 received at 46602-done@debbugs.gnu.org (full text, mbox, reply):

From: zimoun <zimon.toutoune@gmail.com>
To: Efraim Flashner <efraim@flashner.co.il>
Cc: 46602-done@debbugs.gnu.org, Leo Famulari <leo@famulari.name>
Subject: Re: bug#46602: Removing OpenSSL 1.0
Date: Tue, 31 Aug 2021 12:31:17 +0200
Hi,

On Tue, 31 Aug 2021 at 12:57, Efraim Flashner <efraim@flashner.co.il> wrote:
> On Tue, Aug 31, 2021 at 11:27:45AM +0200, zimoun wrote:

>> --8<---------------cut here---------------start------------->8---
>> $ guix graph --path guile-gnunet -e '(@@ (gnu packages tls) openssl-1.0)'
>> guix graph: erreur : pas de chemin de « guile-gnunet@0.0-1.d12167a » à « openssl@1.0.2u »
>> --8<---------------cut here---------------end--------------->8---
>> 
>> Maybe I miss something somewhere.
>> 
>
> `git grep \,openssl-1.0' only shows one entry.
>
> The others probably come through ffmpeg (through rav1e) or rust-cbindgen
> or otherwise actually depend on some other compiled rust library. Not
> sure where gnunet comes from though.

Yeah, what I missed was the type for “guix graph”. :-)

--8<---------------cut here---------------start------------->8---
$ guix graph --path guile-gnunet -e '(@@ (gnu packages tls) openssl-1.0)' -t bag-emerged
guile-gnunet@0.0-1.d12167a
gnunet@0.13.1
libextractor@1.11
ffmpeg@4.4
rav1e@0.4.1
rust@1.45.2
rust@1.44.1
rust@1.43.0
rust@1.42.0
rust@1.41.1
rust@1.40.0
rust@1.39.0
rust@1.38.0
rust@1.37.0
rust@1.36.0
rust@1.35.0
rust@1.34.1
rust@1.33.0
rust@1.32.0
rust@1.31.1
rust@1.30.1
rust@1.29.2
rust@1.28.0
rust@1.27.2
rust@1.26.2
rust@1.25.0
openssl@1.0.2u
--8<---------------cut here---------------end--------------->8---


Cheers,
simon




bug archived. Request was from Debbugs Internal Request <help-debbugs@gnu.org> to internal_control@debbugs.gnu.org. (Tue, 28 Sep 2021 11:24:05 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


debbugs.gnu.org maintainers <help-debbugs@gnu.org>. Last modified: Sun Dec 22 06:04:38 2024; Machine Name: wallace-server

GNU bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.