On Sat, Nov 11, 2023 at 12:55:16AM +0900, Simon Richter wrote: > Hi, > > On 11/10/23 21:07, Stephan Verbücheln wrote: > > > In my opinion, this is yet another reason to use a proper cryptography > > library (openssl, gnutls or gcrypt) instead of a custom implementation > > for this kind of algorithm. > > Yes and no. The reason several of our core tools bring their own functions > is to specifically reduce the Essential package set. Hence this thread: we > need to weigh the benefits against the drawbacks here. > > In coreutils' case, I think the benefits are kind of qualified by the number > of direct users. Basically, few people have use cases that require them to > routinely verify checksums with the tools from coreutils[1]. > > The main benefit of this move is that container images will shrink because > libssl becomes part of the base layer, so fewer copies of it will be kept in > stacked layers. I would disregard this as a benefit, otherwise we could make > a case that more packages should be Essential. > > The actual drawbacks for users are minimal too: > - systemd pulls it in anyway > - apt will pull it in on the remaining systems > > I don't quite see the appeal of OpenSSL as a dependency for apt either. I > have 2 Gbps Internet at home, and a laptop I bought in 2012, and apt is > never CPU bound. I could see the benefit of gzip offloading into the kernel > crypto engine, that would be noticeable to me and at least two other people.
It's not a performance issue for APT, but: 1) we use libgcrypt in libapt-pkg, which needs global initialization. Libraries should not be doing the initialization, we're basically misusing it. The reason we use a library is to not have to vendorize the hashing algorithms. But more importantly, OpenSSL is the right choice because: 2) We use GnuTLS for the https support and that has various little incompatibilities that break it with some servers, certificates, or oppressive government firewalls, causing people not to be able to download their updates via https. Hence want to replace that with OpenSSL -- debian developer - deb.li/jak | jak-linux.org - free software dev ubuntu core developer i speak de, en
