On Fri, Feb 09, 2018 at 12:58:30PM +0000, Kevin Chadwick wrote:
> I assume you know far more than me and A.Wilcox from the Alpine list
> but this was mentioned. They are planning to revert to OpenSSL next
> week.
> 
> I don't use Alpine, though it is possibly my preferred Linux, just
> thought I would mention it.
> 
> To be honest, I don't even know if facilitating wider adoption of
> LibreSSL hurts or benefits OpenBSD security in the end.
> 
> The last paragraph (taken from a separate mail), may be interesting?
> 
> I have no idea what debian etc. are doing.
> 
> http://lists.alpinelinux.org/alpine-devel/6079.html
> _____________________________________________________________________
> 
> awilcox on ciall /usr/src/alpine-aports $ find . -name
> '*libressl*.patch' | sort
> ./community/asio/libressl.patch
> ./community/cargo/openssl-fix-libressl-cmsh-detection.patch
> ./community/cargo/openssl-libressl263-compat.patch
> ./community/erlang/0011-fix-libressl-build.patch
> ./community/freerdp/libressl-2.5.patch
> ./community/gsoap/libressl.patch
> ./community/heirloom-mailx/libressl.patch
> ./community/isync/libressl-compat.patch
> ./community/john/libressl.patch
> ./community/mongodb-tools/libressl.patch
> ./community/pgbouncer/libressl-2.5.patch
> ./community/qt5-qtbase/libressl-compat.patch
> ./community/retawq/libressl.patch
> ./community/rethinkdb/libressl-all.patch
> ./community/stunnel/stunnel-libressl.patch
> ./community/xchat/libressl.patch
> ./community/yadifa/libressl-compat.patch
> ./main/boost/libressl.patch
> ./main/elinks/libressl-2.5.patch
> ./main/fetchmail/libressl.patch
> ./main/freeswitch/sofia-sip-libressl.patch
> ./main/haproxy/fix-libressl-2.5.patch
> ./main/hexchat/libressl.patch
> ./main/hostapd/libressl-compat.patch
> ./main/krb5/libressl.patch
> ./main/ldns/1.6.17-libressl.patch
> ./main/libevent/libressl.patch
> ./main/libgit2/libressl.patch
> ./main/lua-cqueues/libressl-2.5.patch
> ./main/mosquitto/libressl.patch
> ./main/neon/fix-libressl.patch
> ./main/open-isns/libressl.patch
> ./main/openldap/libressl.patch
> ./main/opensmtpd/libressl-compat.patch
> ./main/openvswitch/libressl-compat.patch
> ./main/opusfile/libressl.patch
> ./main/partimage/libressl.patch
> ./main/perl-crypt-ssleay/libressl.patch
> ./main/postfix/libressl.patch
> ./main/python3/libressl.patch
> ./main/qt/qtcore-4.8.5-libressl.patch
> ./main/serf/libressl.patch
> ./main/spice-gtk/libressl.patch
> ./main/spice/libressl.patch
> ./main/strongswan/libressl.patch
> ./main/tlsdate/libressl-no-sslv3.patch
> ./main/tlsdate/libressl-sslstate.patch
> ./main/transmission/libressl.patch
> ./main/wpa_supplicant/libressl.patch
> ./main/xrdp/libressl-support.patch
> ./testing/bobcat/libressl-compatibility.patch
> ./testing/ejabberd/libressl.patch
> ./testing/imapfilter/libressl.patch
> ./testing/libimobiledevice/01-libressl.patch
> ./testing/litespeed/libressl.patch
> ./testing/megatools/libressl.patch
> ./testing/openconnect/openconnect-7.08-libressl251.patch
> ./testing/prayer/libressl.patch
> ./testing/proftpd/libressl.patch
> ./testing/tarantool/tests-libressl-compat.patch
> ./testing/x11vnc/libressl.patch
> 
> 
> It isn't just this.  Qt 5.10 introduces new dependency on OpenSSL 1.1
> APIs for improved security, and LibreSSL does not implement those APIs
> at all.
> 
> Also, as mentioned in my other email, one pain point is something like
> mailman or taiga, which require Python Cryptography package version 1.7.
>  This version requires OpenSSL APIs that LibreSSL removed.  That'd be
> fine, since it could be built against OpenSSL instead, however!
> libressl-dev and openssl-dev conflict, and python-dev installs
> libressl-dev because Python is built against LibreSSL.  That means you
> can't actually build OpenSSL-requiring Python packages at all.
> 
> I'd imagine similar issues would be had with Ruby, Perl, Node, and all
> the rest.  Certainly any Qt application that needs OpenSSL APIs (like
> Kleopatra, KDE's key management utility) won't be buildable as well.
> 
> One question I do have is: is there a way to disable the OpenSSL
> compatibility in LibreSSL?  It would be good for packages that require
> LibreSSL (libressl-dev) to be buildable even if openssl-dev is installed
> (preventing something like the above Python situation).
> 

Just in case some libressl dev doesn't want read the full thread in the
Alpine list, they want also a workaround for the lack of time_t for
32bits platforms on Linux.

FYI: Adelie is a downstream distro of Alpine which wants to support
"old" platforms. https://adelielinux.org/info.html#platforms


-- 
Juan Francisco Cantero Hurtado http://juanfra.info

Reply via email to