[blfs-dev] openssh-7.7p1

[ag]

On Mon, Apr 09, at 02:49 Bruce Dubbs wrote:
> On 04/09/2018 02:18 PM, Richard Melville wrote:
> 
> > Well, I disagree.  Joel Sing has made it clear that he wants libressl to
> > be a drop-in replacement for openssl.  He has also stated publicly that
> > he thinks opaque data structures (the basis of the openssl 1.1 API
> > change) are a good thing.  It's openssl that has broken compatibility
> > between the 1.0 and the 1.1 APIs, and thus created issues with openssh,
> > not libressl.  It is, therefore, unrealistic to expect libressl to
> > conform to the 1.1 API over night.  Clearly, it is going to take some
> > considerable time.
> 
> It has been two years.  How much time do you think is reasonable?
> 
> > As a corollary of the need for the original fork, we have seen how many
> > further openssl security breaches were discovered post fork, none of
> > which affected libressl.
> 
> I wonder why there has been no mass exodus to libressl.  It has been around
> from 2014.  Do you have any ideas about that?
> 
> I did read https://en.wikipedia.org/wiki/LibreSSL
> It does read like it was written by libressl or bsd developers.

Tricky. But might be easy finally.

Theo De Raadt might be an over[something] endless stream of consciousness
mind that simply can not keep his mouth shut, but is an expert in security.

I mean, if there is group of people (this time on earth), on who the earth
could be set its trust to those matters (we are speaking here for the tls stack
and the secure shell (okey?)) and undeniable by all, that would be him and his
friends on OpenBSD!

But as i said the solution at the end might be finally easy.

We just have to provide two different sets of instructions; one for openssl and
one for libre. No big deal.

>   -- Bruce
>
-- 
Best,
  Αγαθοκλής
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: [blfs-dev] openssh-7.7p1

[DJ Lucas]

On April 7, 2018 5:42:26 PM CDT, Bruce Dubbs  wrote:
>It's disturbing that openssh still requires a 60K patch to build with 
>openssl-1.1.0.  openssl-1.1.0. has been in release since August 2916.

Memory is fuzzy, but IIRC, this was due to lack of FIPS, which has weak ciphers 
as part of the standard. Unfortunately, no fancy buzzword means you get a big 
fat red X, despite exceeding the technical requirements, on the pretty version 
of your audit report (the one the non-technical people read). There are 
multiple upstream packages that can't update until this is addressed in 1.1.1. 

--DJ

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- 
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: [blfs-dev] openssh-7.7p1

[Tim Tassonis]

On 04/10/2018 10:29 AM, Richard Melville wrote:
On 9 April 2018 at 21:59, Tim Tassonis > wrote:


On 04/09/2018 09:18 PM, Richard Melville wrote:

On 9 April 2018 at 17:31, Tim Tassonis  >> wrote:

     On 04/09/2018 09:47 AM, Richard Melville wrote:

         On 7 April 2018 at 23:48, Tim Tassonis

         >


         

Re: [blfs-dev] openssh-7.7p1

[Richard Melville]

On 9 April 2018 at 21:59, Tim Tassonis  wrote:

> On 04/09/2018 09:18 PM, Richard Melville wrote:
>
>> On 9 April 2018 at 17:31, Tim Tassonis  st...@decentral.ch>> wrote:
>>
>> On 04/09/2018 09:47 AM, Richard Melville wrote:
>>
>> On 7 April 2018 at 23:48, Tim Tassonis >  >
>> >> wrote:
>>
>>  On 04/08/2018 12:42 AM, Bruce Dubbs wrote:
>>
>>  It's disturbing that openssh still requires a 60K patch
>> to build
>>  with openssl-1.1.0.  openssl-1.1.0. has been in release
>> since
>>  August 2916.
>>
>>
>>  I guess that's probably because they just concentrate on
>> their own
>>  libressl.
>>
>>
>> Which is why I suggested, a long time ago, that we replace
>> openssl with libressl.  I use it and have had no issues.
>>
>>
>>
>> Tricky situation, I think. On one hand, it's a very good thing of
>> lfs/blfs to usually quickly follow upstream on new versions.
>>
>> In the openssl case, they went for an api change with 1.1, and quite
>> a few dependent packages did not (yet) follow, as dropping 1.0
>> support would break compatibility with libressl, as libressl does
>> not seem to prioritize 1.1 support. I just looked at libressl's
>> release notes for their latest 2.7.2 release:
>>
>>   * Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
>> observations of real-world usage in applications. These are
>> implemented in parallel with existing OpenSSL 1.0.1 APIs -
>> visibility
>> changes have not been made to existing structs, allowing code
>> written
>> for older OpenSSL APIs to continue working.
>>
>>
>> This translates to me that full openssl 1.1 compatibility is not
>> high on libressl's priority list, and so it looks like the
>> situation  with opensh will also not change in the near future.
>>
>>
>> Well, I disagree.  Joel Sing has made it clear that he wants libressl to
>> be a drop-in replacement for openssl.  He has also stated publicly that he
>> thinks opaque data structures (the basis of the openssl 1.1 API change) are
>> a good thing.  It's openssl that has broken compatibility between the 1.0
>> and the 1.1 APIs, and thus created issues with openssh, not libressl.  It
>> is, therefore, unrealistic to expect libressl to conform to the 1.1 API
>> over night.  Clearly, it is going to take some considerable time.
>>
>
> Well, as I read you, you actually fully agree...
>
> I am not expert enough to judge on the quality differences between openssl
> and libressl, not am I well informed enough to judge about the necessity of
> the api break between openssl 1.0 and 1.1. I was just trying to describe
> the current situation as neutrally as possible.
>

Tim, I don't think that our disagreement was over the time scale, but
rather the inclination of the libressl developers.

Richard
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: [blfs-dev] openssh-7.7p1

[Richard Melville]

On 9 April 2018 at 20:49, Bruce Dubbs  wrote:

> On 04/09/2018 02:18 PM, Richard Melville wrote:
>
> Well, I disagree.  Joel Sing has made it clear that he wants libressl to
>> be a drop-in replacement for openssl.  He has also stated publicly that he
>> thinks opaque data structures (the basis of the openssl 1.1 API change) are
>> a good thing.  It's openssl that has broken compatibility between the 1.0
>> and the 1.1 APIs, and thus created issues with openssh, not libressl.  It
>> is, therefore, unrealistic to expect libressl to conform to the 1.1 API
>> over night.  Clearly, it is going to take some considerable time.
>>
>
> It has been two years.  How much time do you think is reasonable?
>
> As a corollary of the need for the original fork, we have seen how many
>> further openssl security breaches were discovered post fork, none of which
>> affected libressl.
>>
>
> I wonder why there has been no mass exodus to libressl.  It has been
> around from 2014.  Do you have any ideas about that?
>
> I did read https://en.wikipedia.org/wiki/LibreSSL
> It does read like it was written by libressl or bsd developers.


Bruce, I'm neither a libressl nor a bsd developer, but merely a bystander
watching from the sidelines.  My interest is that I have chosen to use
libressl over openssl because I believe that it is a superior product, and
I have had no issues with it.  So, in answer to your question about what is
a reasonable time for 1.1 API compliance, I don't know, but from the
evidence that I have seen I am confident that the will is there.  Of
course, that's my personal view.

Regarding "no mass exodus to libressl", I don't think that a "mass exodus",
or the lack of it, determines what is good software and what isn't.
Clearly, openssl has the impetus (and the inertia) by having been around
for years.  A similar example is the apache web server.  It's been around
for years and, in my opinion, has become a bloated monster.  There are a
host of other web servers, which, in my opinion, are mostly a lot better;
nginx perhaps being the best known, but also a number of fast web servers
written in erlang.  Despite this, apache still has a huge following.
People are loathe to move from a product with which they are familiar.

Wikipedia pages have to be written by someone, and I'm sure that most of
them contain bias.

Richard
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: [blfs-dev] openssh-7.7p1

[Richard Melville]

On 9 April 2018 at 17:31, Tim Tassonis  wrote:

> On 04/09/2018 09:47 AM, Richard Melville wrote:
>
>> On 7 April 2018 at 23:48, Tim Tassonis  st...@decentral.ch>> wrote:
>>
>> On 04/08/2018 12:42 AM, Bruce Dubbs wrote:
>>
>> It's disturbing that openssh still requires a 60K patch to build
>> with openssl-1.1.0.  openssl-1.1.0. has been in release since
>> August 2916.
>>
>>
>> I guess that's probably because they just concentrate on their own
>> libressl.
>>
>>
>> Which is why I suggested, a long time ago, that we replace openssl with
>> libressl.  I use it and have had no issues.
>>
>
>
> Tricky situation, I think. On one hand, it's a very good thing of lfs/blfs
> to usually quickly follow upstream on new versions.
>
> In the openssl case, they went for an api change with 1.1, and quite a few
> dependent packages did not (yet) follow, as dropping 1.0 support would
> break compatibility with libressl, as libressl does not seem to prioritize
> 1.1 support. I just looked at libressl's release notes for their latest
> 2.7.2 release:
>
>  * Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
>observations of real-world usage in applications. These are
>implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility
>changes have not been made to existing structs, allowing code written
>for older OpenSSL APIs to continue working.
>
>
> This translates to me that full openssl 1.1 compatibility is not high on
> libressl's priority list, and so it looks like the situation  with opensh
> will also not change in the near future.
>

Well, I disagree.  Joel Sing has made it clear that he wants libressl to be
a drop-in replacement for openssl.  He has also stated publicly that he
thinks opaque data structures (the basis of the openssl 1.1 API change) are
a good thing.  It's openssl that has broken compatibility between the 1.0
and the 1.1 APIs, and thus created issues with openssh, not libressl.  It
is, therefore, unrealistic to expect libressl to conform to the 1.1 API
over night.  Clearly, it is going to take some considerable time.

As a corollary of the need for the original fork, we have seen how many
further openssl security breaches were discovered post fork, none of which
affected libressl.

Richard
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: [blfs-dev] openssh-7.7p1

[Tim Tassonis]

On 04/09/2018 09:47 AM, Richard Melville wrote:
On 7 April 2018 at 23:48, Tim Tassonis > wrote:


On 04/08/2018 12:42 AM, Bruce Dubbs wrote:

It's disturbing that openssh still requires a 60K patch to build
with openssl-1.1.0.  openssl-1.1.0. has been in release since
August 2916.


I guess that's probably because they just concentrate on their own
libressl.


Which is why I suggested, a long time ago, that we replace openssl with 
libressl.  I use it and have had no issues.



Tricky situation, I think. On one hand, it's a very good thing of 
lfs/blfs to usually quickly follow upstream on new versions.


In the openssl case, they went for an api change with 1.1, and quite a 
few dependent packages did not (yet) follow, as dropping 1.0 support 
would break compatibility with libressl, as libressl does not seem to 
prioritize 1.1 support. I just looked at libressl's release notes for 
their latest 2.7.2 release:


 * Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
   observations of real-world usage in applications. These are
   implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility
   changes have not been made to existing structs, allowing code written
   for older OpenSSL APIs to continue working.


This translates to me that full openssl 1.1 compatibility is not high on 
libressl's priority list, and so it looks like the situation  with 
opensh will also not change in the near future.










Richard




--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: [blfs-dev] openssh-7.7p1

[Richard Melville]

On 7 April 2018 at 23:48, Tim Tassonis  wrote:

> On 04/08/2018 12:42 AM, Bruce Dubbs wrote:
>
>> It's disturbing that openssh still requires a 60K patch to build with
>> openssl-1.1.0.  openssl-1.1.0. has been in release since August 2916.
>>
>
> I guess that's probably because they just concentrate on their own
> libressl.
>

Which is why I suggested, a long time ago, that we replace openssl with
libressl.  I use it and have had no issues.

Richard
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

[blfs-dev] openssh-7.7p1 and libressl

[ag]

On Sun, Apr 08, at 12:48 Tim Tassonis wrote:
> On 04/08/2018 12:42 AM, Bruce Dubbs wrote:
> > It's disturbing that openssh still requires a 60K patch to build with
> > openssl-1.1.0.  openssl-1.1.0. has been in release since August 2916.
> 
> I guess that's probably because they just concentrate on their own libressl.

libressl works fine here in voidlinux for years now.

> Tim
 
Best,
  Αγαθοκλής
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Re: [blfs-dev] openssh-7.7p1

[Tim Tassonis]

On 04/08/2018 12:42 AM, Bruce Dubbs wrote:
It's disturbing that openssh still requires a 60K patch to build with 
openssl-1.1.0.  openssl-1.1.0. has been in release since August 2916.


I guess that's probably because they just concentrate on their own libressl.

Tim
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

[blfs-dev] openssh-7.7p1

[Bruce Dubbs]

It's disturbing that openssh still requires a 60K patch to build with 
openssl-1.1.0.  openssl-1.1.0. has been in release since August 2916.


The patch from Arch seems to work well.

  -- Bruce


--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page