bug-guix
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#34717: GPL and Openssl incompatibilities in u-boot and possibly othe

From: Ludovic Courtès
Subject: bug#34717: GPL and Openssl incompatibilities in u-boot and possibly others
Date: Fri, 08 Mar 2019 11:08:34 +0100
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) 
Hi

Vagrant Cascadian <address@hidden> skribis:

> On 2019-03-06, Ludovic Courtès wrote:

[...]

>> address@hidden has 7,029 dependent packages, so it may be hard to sort it
>> out.  I wonder what would be the best way to approach it.
>
> How many of them are also license:gpl* though? That would hopefully
> reduce the scope somewhat, or maybe even significantly...
>
> If "guix package --search= ..." could be extended to to also search
> other fields, e.g. license: and dependencies: ... it might not be so
> difficult a search.

Here’s an estimate:

--8<---------------cut here---------------start------------->8---
$ guix package -s "" |recsel -e 'license ~ "GPL"' -e 'dependencies ~ "openssl"' 
|grep ^name| wc -l
265
--8<---------------cut here---------------end--------------->8---

You can view the list of packages like this:

--8<---------------cut here---------------start------------->8---
guix package -s "" |recsel -e 'license ~ "GPL"' -e 'dependencies ~ "openssl"' 
-p name,version
--8<---------------cut here---------------end--------------->8---

>>> In the Debian u-boot packaging, some of the features using openssl are
>>> disabled, and some of the u-boot targets that require openssl are not
>>> part of the packages. I'd be happy to help with making such adjustments
>>> if this is deemed the better approach for u-boot specifically.
>>
>> That’d be great.  We could definitely remove the OpenSSL dependency when
>> it’s not needed.
>
> For what it's worth, I did do local builds of all the current u-boot-*
> targets in guix with openssl removed from inputs, and the only one that
> failed to build without openssl was u-boot-tools.

Not that bad!

>> In cases where it is needed, it would be nice to see what it’s used
>> for.  Many projects use OpenSSL just for its cryptographic hash
>> functions, for example, and there’s plenty of options to choose from if
>> that’s all that’s needed (Gcrypt, Nettle, etc.).
>
> I think it is using it for generating and verifying rsa signatures, and
> probably other similar basic things. So far I had only thought about
> gnutls, but if gcrypt or nettle are other options, then so much the
> better.
>
> I briefly looked at gnutls's openssl compatibility layers, but it didn't
> seem to implement sufficiently similar include files, which is largely
> all that it is doing.

Yeah, GnuTLS’ OpenSSL compat layer has been bitrotting since forever.

But really rather than GnuTLS they should target one of these crypto
libraries, which seem to be a better fit.

>> I guess this should be discussed with upstream.
>
> I did bring it upstream a little over a year ago, and the response was
> pretty much to rewrite it with gnutls, and I pointed out the most likely
> files that needed updating:
>
>   https://lists.denx.de/pipermail/u-boot/2017-November/312483.html
>   https://lists.denx.de/pipermail/u-boot/2017-December/313616.html
>   https://lists.denx.de/pipermail/u-boot/2017-December/313742.html
>
> I suspect it's pretty much a "patches accepted" sort of scenario.

I guess “we” should consider doing it at some point.  Changing the RSA
signature code to use another API can’t be that hard™.  ;-)

I see from the message above that PEM encoding/decoding may also be
needed, which Gcrypt doesn’t provide.

Thanks,
Ludo’.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]