GNU bug report logs - #34717
GPL and Openssl incompatibilities in u-boot and possibly others

Previous Next

Full log

Message #23 received at 34717 <at> debbugs.gnu.org (full text, mbox):

From: Ludovic Courtès <ludo <at> gnu.org>
To: Vagrant Cascadian <vagrant <at> debian.org>
Cc: 34717 <at> debbugs.gnu.org
Subject: Re: bug#34717: GPL and Openssl incompatibilities in u-boot and
 possibly others
Date: Fri, 08 Mar 2019 11:08:34 +0100

Hi

Vagrant Cascadian <vagrant <at> debian.org> skribis:

> On 2019-03-06, Ludovic Courtès wrote:

[...]

>> openssl <at> 1.0 has 7,029 dependent packages, so it may be hard to sort it
>> out.  I wonder what would be the best way to approach it.
>
> How many of them are also license:gpl* though? That would hopefully
> reduce the scope somewhat, or maybe even significantly...
>
> If "guix package --search= ..." could be extended to to also search
> other fields, e.g. license: and dependencies: ... it might not be so
> difficult a search.

Here’s an estimate:

--8<---------------cut here---------------start------------->8---
$ guix package -s "" |recsel -e 'license ~ "GPL"' -e 'dependencies ~ "openssl"' |grep ^name| wc -l
265
--8<---------------cut here---------------end--------------->8---

You can view the list of packages like this:

--8<---------------cut here---------------start------------->8---
guix package -s "" |recsel -e 'license ~ "GPL"' -e 'dependencies ~ "openssl"' -p name,version
--8<---------------cut here---------------end--------------->8---

>>> In the Debian u-boot packaging, some of the features using openssl are
>>> disabled, and some of the u-boot targets that require openssl are not
>>> part of the packages. I'd be happy to help with making such adjustments
>>> if this is deemed the better approach for u-boot specifically.
>>
>> That’d be great.  We could definitely remove the OpenSSL dependency when
>> it’s not needed.
>
> For what it's worth, I did do local builds of all the current u-boot-*
> targets in guix with openssl removed from inputs, and the only one that
> failed to build without openssl was u-boot-tools.

Not that bad!

>> In cases where it is needed, it would be nice to see what it’s used
>> for.  Many projects use OpenSSL just for its cryptographic hash
>> functions, for example, and there’s plenty of options to choose from if
>> that’s all that’s needed (Gcrypt, Nettle, etc.).
>
> I think it is using it for generating and verifying rsa signatures, and
> probably other similar basic things. So far I had only thought about
> gnutls, but if gcrypt or nettle are other options, then so much the
> better.
>
> I briefly looked at gnutls's openssl compatibility layers, but it didn't
> seem to implement sufficiently similar include files, which is largely
> all that it is doing.

Yeah, GnuTLS’ OpenSSL compat layer has been bitrotting since forever.

But really rather than GnuTLS they should target one of these crypto
libraries, which seem to be a better fit.

>> I guess this should be discussed with upstream.
>
> I did bring it upstream a little over a year ago, and the response was
> pretty much to rewrite it with gnutls, and I pointed out the most likely
> files that needed updating:
>
>   https://lists.denx.de/pipermail/u-boot/2017-November/312483.html
>   https://lists.denx.de/pipermail/u-boot/2017-December/313616.html
>   https://lists.denx.de/pipermail/u-boot/2017-December/313742.html
>
> I suspect it's pretty much a "patches accepted" sort of scenario.

I guess “we” should consider doing it at some point.  Changing the RSA
signature code to use another API can’t be that hard™.  ;-)

I see from the message above that PEM encoding/decoding may also be
needed, which Gcrypt doesn’t provide.

Thanks,
Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.