[opensuse-factory] New package: libressl
can you please introduce the package on factory ml?
LibreSSL is a fork of OpenSSL which has been stripped of old, unused code and code for defunct/historic OSes. The plan is increased auditability and security. (You probably already heard in the news.) There is a conference video on LibreSSL at http://www.youtube.com/watch?v=GnBbhXBDmwU for interested parties. From that presentation, I also gather: - openssl implements its own meomry allocator which defeats valgrind's memory leack checker because that allocator never frees anything - new features added to libressl: ChaCha stream cipher, poly1305 (MAC) Packaging-wise, I find the style of libressl(-portable) to be a win over openssl. It is autotooled and needs just a quarter of the instructions found in openssl.spec.
I don't see any motivation why we need yet another ssl implementation
There are certainly factors that would make a package unfit for inclusion, like unacceptable license, or overly trivial software, obvious trash software, or certain unmaintained software. LibreSSL does not fail at any of these basic checks. Other than that, I remember it such that openSUSE became open to all submissions and dropped the requirement that the package had to be useful _for the distribution_ (rather than the user). tl;dr: libressl makes a lot of people sleep better at night. ;) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, Jul 18, 2014 at 10:29:27AM +0200, Jan Engelhardt wrote:
can you please introduce the package on factory ml?
LibreSSL is a fork of OpenSSL which has been stripped of old, unused code and code for defunct/historic OSes. The plan is increased auditability and security. (You probably already heard in the news.)
There is a conference video on LibreSSL at http://www.youtube.com/watch?v=GnBbhXBDmwU for interested parties. From that presentation, I also gather:
- openssl implements its own meomry allocator which defeats valgrind's memory leack checker because that allocator never frees anything - new features added to libressl: ChaCha stream cipher, poly1305 (MAC)
Packaging-wise, I find the style of libressl(-portable) to be a win over openssl. It is autotooled and needs just a quarter of the instructions found in openssl.spec.
I don't see any motivation why we need yet another ssl implementation
There are certainly factors that would make a package unfit for inclusion, like unacceptable license, or overly trivial software, obvious trash software, or certain unmaintained software. LibreSSL does not fail at any of these basic checks.
Other than that, I remember it such that openSUSE became open to all submissions and dropped the requirement that the package had to be useful _for the distribution_ (rather than the user).
It is a crypto library which was hastily cleaned up, as evidenced by the discussion about randomness handling. I would suggest to first let it mature some months before we start using it. We can include the package to Factory, but I strongly recommend not to switch programs to use it at this time. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 18.07.2014 10:29, Jan Engelhardt wrote:
I don't see any motivation why we need yet another ssl implementation
There are certainly factors that would make a package unfit for inclusion, like unacceptable license, or overly trivial software, obvious trash software, or certain unmaintained software. LibreSSL does not fail at any of these basic checks.
Other than that, I remember it such that openSUSE became open to all submissions and dropped the requirement that the package had to be useful _for the distribution_ (rather than the user).
I didn't say that. But you didn't say how it's useful to you. Greetings, Stephan -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Friday 2014-07-18 11:33, Stephan Kulow wrote:
I don't see any motivation why we need yet another ssl implementation You didn't say how it's useful to you.
<upstream hat on> To evaluate it as a replacement for openssl. There are a number of software packages (pam_mount, ccgfs, vitalnix, circumference) that use libcrypto in some form or another. </> -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
El 18/07/14 04:29, Jan Engelhardt escribió:
can you please introduce the package on factory ml?
LibreSSL is a fork of OpenSSL which has been stripped of old, unused code and code for defunct/historic OSes. The plan is increased auditability and security. (You probably already heard in the news.)
There is a conference video on LibreSSL at http://www.youtube.com/watch?v=GnBbhXBDmwU for interested parties. From that presentation, I also gather:
- openssl implements its own meomry allocator which defeats valgrind's memory leack checker because that allocator never frees anything
I already fixed that in the openSSL package.. it is built without this horrible hack.
- new features added to libressl: ChaCha stream cipher, poly1305 (MAC)
This will appear in future versions of openSSL as well. -- Cristian "I don't know the key to success, but the key to failure is trying to please everybody." -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2014-07-18 a las 10:29 +0200, Jan Engelhardt escribió:
LibreSSL is a fork of OpenSSL which has been stripped of old, unused code and code for defunct/historic OSes.
Question: does it affect connectiviy to older boxes? For instance, I had a router that simply does not accept ssh connection from openSUSE ssh, since an update made some time ago. The theory is that the busybox implementation they use is too old or incompatible or something. This is just an example, I'm not concerned about that particular hardware. Could this library replacement you propose have a similar effect on connectivity to older boxes? If it does, is it possible to somehow use the older library for at least those connections? Or am I totally confused? :-) Otherwise, I like the idea. But I'm no expert on that field, so I don't count ;-) - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlPKXoIACgkQja8UbcUWM1z8FwD/YgwNP09I8S/JAUrK3215EEp+ YLbLCPy8Zgb1Y5yiE3MA/0WBXyF/aYkFfuI20OgnEQwFxl1QLL5TDdzVYjDVxpy/ =Uh5w -----END PGP SIGNATURE-----
On Saturday 2014-07-19 14:03, Carlos E. R. wrote:
El 2014-07-18 a las 10:29 +0200, Jan Engelhardt escribió:
LibreSSL is a fork of OpenSSL which has been stripped of old, unused code and code for defunct/historic OSes.
Question: does it affect connectiviy to older boxes?
Don't know. It is conceivable that it does affect it, because LibreSSL is based upon a recent OpenSSL version (1.0.1g). However, the reverse is also conceivable, because openSUSE patched its openssl to deactivate certain ciphers:
For instance, I had a router that simply does not accept ssh connection from openSUSE ssh, since an update made some time ago.
That may be because the two peers cannot agree on a hash and cipher. openSUSE openssl has two patches listed under the "FIPS" umbrella: [21]openssl-libssl-noweakciphers.patch: -#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2" +#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!LOW" [35]openssl-1.0.1e-add-suse-default-cipher.patch: -#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!LOW" +#define SSL_DEFAULT_CIPHER_LIST "ALL:!aNULL:!eNULL:!SSLv2:!EXPORT:!RC2:!DES" (so, the cipher group EXPORT, and the two ciphers RC2 and DES are excluded) which may contribute to your observations. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 18.07.14 10:29 Jan Engelhardt wrote:
tl;dr: libressl makes a lot of people sleep better at night. ;)
+1 for giving people the choice between different SSL-implementations. Whether or not this should be in the default installation or whether packages should be built using this package is a completely different question. Regards, Johannes - -- `Oh, you may not think I'm pretty, But don't judge on what you see, I'll eat myself if you can find a smarter hat than me.´ (The Sorting Hat in Harry Potter I) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlPKaHgACgkQzi3gQ/xETbIG5gCdEJV1oUjS97g55mr626atlTIG nzkAoKGIIFSqtMOxiH0orPFLybk95roN =bB8E -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
El 19/07/14 08:45, Johannes Kastl escribió:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 18.07.14 10:29 Jan Engelhardt wrote:
tl;dr: libressl makes a lot of people sleep better at night. ;)
+1 for giving people the choice between different SSL-implementations.
This is exactly we must not do, we must focus on providing ONE working solution and not many half-backed ones. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sat, 19 Jul 2014 16:35, Cristian Rodríguez <crrodriguez@...> wrote:
El 19/07/14 08:45, Johannes Kastl escribió:
On 18.07.14 10:29 Jan Engelhardt wrote:
tl;dr: libressl makes a lot of people sleep better at night. ;)
+1 for giving people the choice between different SSL-implementations.
This is exactly we must not do, we must focus on providing ONE working solution and not many half-backed ones.
@Cristian: please give proof of your expertise in crypto algoritms and high-security programming before spamming such a reply. OpenSSL has been aroung for a long time now, and has not had a fundamental code reordering and adaption to modern needs in the last ten years. Cruft in the code? Oh yes! Just looking at it gives me back the feeling of 1995, again. Most of the newer security needs is addressed as just tagged on code. A rewrite, function for function is a dire need. I see LibreSSL as a first step to providing a 'drop in' replacement. Either the guys from OpenSSL get their ass in gear, or they will drop to further run. Nothing against a fully working solution. But prof on the 'fully working' is now, - after heartbleed and the debacles before that,- much more needed then before. Would Intel produce processors as good as they are now without the pressure of AMD as competitor? I do not think so. Was/Is the rivality between AMD and Intel good for the customers? Mostly yes, but there where fringes. That is live. Monoculture will kill it self. History has proven that. (How many text-editors are in OSS? Think!) - Yamaban.
On Sat, Jul 19, 2014 at 12:59 PM, Yamaban <foerster@lisas.de> wrote:
On Sat, 19 Jul 2014 16:35, Cristian Rodríguez <crrodriguez@...> wrote:
El 19/07/14 08:45, Johannes Kastl escribió:
On 18.07.14 10:29 Jan Engelhardt wrote:
tl;dr: libressl makes a lot of people sleep better at night. ;)
+1 for giving people the choice between different SSL-implementations.
This is exactly we must not do, we must focus on providing ONE working solution and not many half-backed ones.
@Cristian: please give proof of your expertise in crypto algoritms and high-security programming before spamming such a reply.
OpenSSL has been aroung for a long time now, and has not had a fundamental code reordering and adaption to modern needs in the last ten years.
It's quite clear you don't have such a security background, because if you had, you would know that you don't touch security-critical code just to reorder it. You leave it alone unless there's proof that what you're doing fixes things, and not the opposite. Mere reordering, mere optimization can be a security issue (read about somewhat recent issues with ssh's rng cause by a "small optimization").
Cruft in the code? Oh yes! Just looking at it gives me back the feeling of 1995, again.
Most of the newer security needs is addressed as just tagged on code. A rewrite, function for function is a dire need.
Certainly not. You don't do that with security-critical code. Code like this needs heavy auditing and years of field testing, you just don't throw away all that field testing for a pointless rewrite.
I see LibreSSL as a first step to providing a 'drop in' replacement.
Which is what I see LibeSSL as. A pointless rewrite.
Nothing against a fully working solution. But prof on the 'fully working' is now, - after heartbleed and the debacles before that,- much more needed then before.
Remember, heartbleed was caused by light-minded modifications, which is the kind LibreSSL is doing now, only in bulk. But with time, this rewrite may be good enough. With time. Not now. That said, I do have some experience in security, and even though I don't think LibreSSL is good for real use right now, I see it as a good thing to provide it for those that want to test it. Without it, it may take it longer to be fieldtested enough to consider as a reasonable replacement. I just wouldn't make it default by any means. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 20.07.2014 03:02, schrieb Claudio Freire:
That said, I do have some experience in security, and even though I don't think LibreSSL is good for real use right now, I see it as a good thing to provide it for those that want to test it. Without it, it may take it longer to be fieldtested enough to consider as a reasonable replacement.
I just wouldn't make it default by any means.
I think this is the consensus and I'll accept the package into factory, but no package using it. Greetings, Stephan -- Ma muaß weiterkämpfen, kämpfen bis zum Umfalln, a wenn die ganze Welt an Arsch offen hat, oder grad deswegn. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Saturday 19 of July 2014 17:59:05 Yamaban wrote:
Would Intel produce processors as good as they are now without the pressure of AMD as competitor? I do not think so.
Was/Is the rivality between AMD and Intel good for the customers? Mostly yes, but there where fringes. That is live.
Monoculture will kill it self. History has proven that.
(How many text-editors are in OSS? Think!)
Fully agreed. This whole "one tool per task" doctrine is one of the most dangerous things in linux desktop these days. It takes the choice out of users' hands and prefers solutions with PR tailored to manager ears over those users would choose themselves. It's what forces half-baked projects into distributions as the only choice not only before they are better than the old ones but even before they are good enough to use. And on the other hands, it doesn't give those new projects that don't have "friends in the right places" a chance for a fair competition. No doubt forcing LibreSSL on users as the only option would be bad idea. But so is forcing LibreSSL out of the distribution just because of some "one tool per task" doctrine. Michal Kubeček -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 21. Juli 2014 07:14:53 MESZ, Michal Kubecek <mkubecek@suse.cz> wrote:
No doubt forcing LibreSSL on users as the only option would be bad idea. But so is forcing LibreSSL out of the distribution just because of some "one tool per task" doctrine.
+1, but can we actually give people the choice here? Technically, I mean... anything that uses encryption has to be linked against one of the choices, and then can't just use "the other ssl" without recompiling, right? -- Diese Nachricht wurde von meinem Android-Mobiltelefon mit K-9 Mail gesendet. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, Jul 21, 2014 at 07:24:39AM +0200, Mathias Homann wrote:
On 21. Juli 2014 07:14:53 MESZ, Michal Kubecek <mkubecek@suse.cz> wrote:
No doubt forcing LibreSSL on users as the only option would be bad idea. But so is forcing LibreSSL out of the distribution just because of some "one tool per task" doctrine.
+1, but can we actually give people the choice here? Technically, I mean... anything that uses encryption has to be linked against one of the choices, and then can't just use "the other ssl" without recompiling, right?
Not right now, no. But people would now be able to build against libressl in their projects without funny linking. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, Jul 21, 2014 at 2:52 AM, Marcus Meissner <meissner@suse.de> wrote:
On Mon, Jul 21, 2014 at 07:24:39AM +0200, Mathias Homann wrote:
On 21. Juli 2014 07:14:53 MESZ, Michal Kubecek <mkubecek@suse.cz> wrote:
No doubt forcing LibreSSL on users as the only option would be bad idea. But so is forcing LibreSSL out of the distribution just because of some "one tool per task" doctrine.
+1, but can we actually give people the choice here? Technically, I mean... anything that uses encryption has to be linked against one of the choices, and then can't just use "the other ssl" without recompiling, right?
Not right now, no.
But people would now be able to build against libressl in their projects without funny linking.
At least postgres' next versions are trying to support multiple implementations. Not with libressl in mind, it's more about using window's native SSL implementation, but I bet that can make supporting libressl in postgres easy. But unless libressl is ABI-compatible with openssl (which might be the case for now?) I think its application may be limited to those that explicitly support switching between ssl implementations. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sat, 2014-07-19 at 14:45 +0200, Johannes Kastl wrote:
On 18.07.14 10:29 Jan Engelhardt wrote:
tl;dr: libressl makes a lot of people sleep better at night. ;)
+1 for giving people the choice between different SSL-implementations.
Whether or not this should be in the default installation or whether packages should be built using this package is a completely different question.
+1 Perfectly stated, both of them. The biggest achievements of what the opensource community has deliverd, is the option to choose. Anybody who is against is, i seriously suspect to be on the microsoft payroll, trying to cripple the distro by making is less worth. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
El 19/07/14 18:39, Hans Witvliet escribió:
The biggest achievements of what the opensource community has deliverd, is the option to choose.
http://islinuxaboutchoice.com/
Anybody who is against is, i seriously suspect to be on the microsoft payroll, trying to cripple the distro by making is less worth.
I wonder where is my paycheck.. haven't recieved it yet.. -- Cristian "I don't know the key to success, but the key to failure is trying to please everybody." -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Saturday 19 of July 2014 19:19:36 Cristian Rodríguez wrote:
El 19/07/14 18:39, Hans Witvliet escribió:
The biggest achievements of what the opensource community has deliverd, is the option to choose.
And you assume using big font makes it a stronger argument? Hm... Michal Kubeček -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (11)
-
Carlos E. R. -
Claudio Freire -
Cristian Rodríguez -
Hans Witvliet -
Jan Engelhardt -
Johannes Kastl -
Marcus Meissner -
Mathias Homann -
Michal Kubecek -
Stephan Kulow -
Yamaban