Re: [gentoo-dev] ssl vs openssl vs libressl vs gnutls USE flag foo

2015-10-30 Thread hasufell 
On 10/30/2015 10:16 PM, Anthony G. Basile wrote:
> On 10/30/15 3:35 PM, hasufell wrote:
>> On 10/30/2015 06:55 PM, Michał Górny wrote:
>>> We have no way of saying 'I prefer polarssl, then gnutls, then
>>> libressl, and never openssl'.
>> I don't think this is something that can be reasonably supported and it
>> sounds awfully automagic. And I don't see how this is possible right
>> now, so I'm not really sure what you expect to get worse.
>>
>> E.g. -gnutls pulling in dev-libs/openssl is not really something you'd
>> expect. If we go for provider USE flags, then things become consistent,
>> explicit and unambiguous. The only problem is our crappy implementation
>> of providers USE flags via REQUIRED_USE.
>>
> I'm not sure what mgorny has in mind, but the problem I see with saying
> I want just X to be my provider system wide is that some pkgs build with
> X others don't, other pkgs might need a different provider.  So it might
> make sense to order them in terms of preference: X1 > X2 > X3 ... and
> then when emerging a package, the first provider in the preference list
> that works is pulled in for that package.
> 

Isn't that basically what the proposal B already was, except that we
don't use REQUIRED_USE for it but some sort of pkg_setup/pkg_pretend
function? I don't see how those ideas even conflict.

Re: [gentoo-dev] ssl vs openssl vs libressl vs gnutls USE flag foo

2015-10-30 Thread Michał Górny 
On Fri, 30 Oct 2015 23:40:28 +0100
hasufell  wrote:

> On 10/30/2015 10:16 PM, Anthony G. Basile wrote:
> > On 10/30/15 3:35 PM, hasufell wrote:  
> >> On 10/30/2015 06:55 PM, Michał Górny wrote:  
> >>> We have no way of saying 'I prefer polarssl, then gnutls, then
> >>> libressl, and never openssl'.  
> >> I don't think this is something that can be reasonably supported and it
> >> sounds awfully automagic. And I don't see how this is possible right
> >> now, so I'm not really sure what you expect to get worse.
> >>
> >> E.g. -gnutls pulling in dev-libs/openssl is not really something you'd
> >> expect. If we go for provider USE flags, then things become consistent,
> >> explicit and unambiguous. The only problem is our crappy implementation
> >> of providers USE flags via REQUIRED_USE.
> >>  
> > I'm not sure what mgorny has in mind, but the problem I see with saying
> > I want just X to be my provider system wide is that some pkgs build with
> > X others don't, other pkgs might need a different provider.  So it might
> > make sense to order them in terms of preference: X1 > X2 > X3 ... and
> > then when emerging a package, the first provider in the preference list
> > that works is pulled in for that package.
> >   
> 
> Isn't that basically what the proposal B already was, except that we
> don't use REQUIRED_USE for it but some sort of pkg_setup/pkg_pretend
> function? I don't see how those ideas even conflict.

And some sort of magical USE flag meanings? Please stop this right
here. We don't need 16 USE flag package variants which mean 4 things in
different, random and unexpected ways.

-- 
Best regards,
Michał Górny



pgpquo4b3BTo3.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] ssl vs openssl vs libressl vs gnutls USE flag foo

2015-10-30 Thread hasufell 
On 10/30/2015 11:56 PM, Michał Górny wrote:
> On Fri, 30 Oct 2015 23:40:28 +0100
> hasufell  wrote:
> 
>> On 10/30/2015 10:16 PM, Anthony G. Basile wrote:
>>> On 10/30/15 3:35 PM, hasufell wrote:  
 On 10/30/2015 06:55 PM, Michał Górny wrote:  
> We have no way of saying 'I prefer polarssl, then gnutls, then
> libressl, and never openssl'.  
 I don't think this is something that can be reasonably supported and it
 sounds awfully automagic. And I don't see how this is possible right
 now, so I'm not really sure what you expect to get worse.

 E.g. -gnutls pulling in dev-libs/openssl is not really something you'd
 expect. If we go for provider USE flags, then things become consistent,
 explicit and unambiguous. The only problem is our crappy implementation
 of providers USE flags via REQUIRED_USE.
  
>>> I'm not sure what mgorny has in mind, but the problem I see with saying
>>> I want just X to be my provider system wide is that some pkgs build with
>>> X others don't, other pkgs might need a different provider.  So it might
>>> make sense to order them in terms of preference: X1 > X2 > X3 ... and
>>> then when emerging a package, the first provider in the preference list
>>> that works is pulled in for that package.
>>>   
>>
>> Isn't that basically what the proposal B already was, except that we
>> don't use REQUIRED_USE for it but some sort of pkg_setup/pkg_pretend
>> function? I don't see how those ideas even conflict.
> 
> And some sort of magical USE flag meanings? Please stop this right
> here. We don't need 16 USE flag package variants which mean 4 things in
> different, random and unexpected ways.
> 

I really have no idea what you mean. This is about NOT doing things
magically and not having magical USE flag meanings.

Then you complained that you cannot set gnutls and openssl at the same
time... and the only way around that is not having REQUIRED_USE.

It seems to me you don't really know what you want. Either give an
actual proposal or let us move on.

Re: [gentoo-dev] ssl vs openssl vs libressl vs gnutls USE flag foo

2015-10-30 Thread Anthony G. Basile 

On 10/30/15 3:35 PM, hasufell wrote:

On 10/30/2015 06:55 PM, Michał Górny wrote:

We have no way of saying 'I prefer polarssl, then gnutls, then
libressl, and never openssl'.

I don't think this is something that can be reasonably supported and it
sounds awfully automagic. And I don't see how this is possible right
now, so I'm not really sure what you expect to get worse.

E.g. -gnutls pulling in dev-libs/openssl is not really something you'd
expect. If we go for provider USE flags, then things become consistent,
explicit and unambiguous. The only problem is our crappy implementation
of providers USE flags via REQUIRED_USE.

I'm not sure what mgorny has in mind, but the problem I see with saying 
I want just X to be my provider system wide is that some pkgs build with 
X others don't, other pkgs might need a different provider.  So it might 
make sense to order them in terms of preference: X1 > X2 > X3 ... and 
then when emerging a package, the first provider in the preference list 
that works is pulled in for that package.


--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail: bluen...@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA

Re: [gentoo-dev] ssl vs openssl vs libressl vs gnutls USE flag foo

2015-10-30 Thread Luis Ressel 
On Fri, 30 Oct 2015 23:40:28 +0100
hasufell  wrote:

> On 10/30/2015 10:16 PM, Anthony G. Basile wrote:
> > On 10/30/15 3:35 PM, hasufell wrote:  
> >> On 10/30/2015 06:55 PM, Michał Górny wrote:  
> >>> We have no way of saying 'I prefer polarssl, then gnutls, then
> >>> libressl, and never openssl'.  
> >> I don't think this is something that can be reasonably supported
> >> and it sounds awfully automagic. And I don't see how this is
> >> possible right now, so I'm not really sure what you expect to get
> >> worse.
> >>
> >> E.g. -gnutls pulling in dev-libs/openssl is not really something
> >> you'd expect. If we go for provider USE flags, then things become
> >> consistent, explicit and unambiguous. The only problem is our
> >> crappy implementation of providers USE flags via REQUIRED_USE.
> >>  
> > I'm not sure what mgorny has in mind, but the problem I see with
> > saying I want just X to be my provider system wide is that some
> > pkgs build with X others don't, other pkgs might need a different
> > provider.  So it might make sense to order them in terms of
> > preference: X1 > X2 > X3 ... and then when emerging a package, the
> > first provider in the preference list that works is pulled in for
> > that package. 
> 
> Isn't that basically what the proposal B already was, except that we
> don't use REQUIRED_USE for it but some sort of pkg_setup/pkg_pretend
> function? I don't see how those ideas even conflict.
> 

Well, not exactly. If I understood them right, mgorny and blueness are
asking for a user-supplied preference list (e.g. "I want packages to
link with libressl if possible, gnutls otherwise"), not an
ebuild-supplied preference list ("This package prefers gnutls, but
openssl is also supported").

Side note: These ebuild-side preferences are used by some ebuilds (e.g.
cyrus-sasl, it uses gdbm if both gdbm and berkdb use flags are
enabled), but for ssl, we might want to specify "REQUIRED_USE = ^^
(..)" so it's possible to use USE dependencies in order to avoid
namespace conflicts. If there's no REQUIRED_USE,
"somelibrary[libressl]" might be satisfied even though somelibrary is
actually linked to openssl.


-- 
Regards,
Luis Ressel

Re: [gentoo-dev] ssl vs openssl vs libressl vs gnutls USE flag foo

2015-10-30 Thread Michał Górny 
On Fri, 30 Oct 2015 18:25:14 -0400
Rich Freeman  wrote:

> On Fri, Oct 30, 2015 at 5:16 PM, Anthony G. Basile  
> wrote:
> > On 10/30/15 3:35 PM, hasufell wrote:  
> >>
> >> On 10/30/2015 06:55 PM, Michał Górny wrote:  
> >>>
> >>> We have no way of saying 'I prefer polarssl, then gnutls, then
> >>> libressl, and never openssl'.  
> >>
> >> I don't think this is something that can be reasonably supported and it
> >> sounds awfully automagic. And I don't see how this is possible right
> >> now, so I'm not really sure what you expect to get worse.
> >>
> >> E.g. -gnutls pulling in dev-libs/openssl is not really something you'd
> >> expect. If we go for provider USE flags, then things become consistent,
> >> explicit and unambiguous. The only problem is our crappy implementation
> >> of providers USE flags via REQUIRED_USE.
> >>  
> > I'm not sure what mgorny has in mind, but the problem I see with saying I
> > want just X to be my provider system wide is that some pkgs build with X
> > others don't, other pkgs might need a different provider.  So it might make
> > sense to order them in terms of preference: X1 > X2 > X3 ... and then when
> > emerging a package, the first provider in the preference list that works is
> > pulled in for that package.  
> 
> I think that would be useful in general.  It would probably not be
> useful in this case, since it was somebody's bright idea to make it
> essentially impossible to install two of the options on the same
> system (and that wasn't directed at hasufell).  Users could of course
> still express the preference, but the PM would need to be smart enough
> to ignore that preference on 95% of packages that support both options
> so that it can take the lower preference on the 5% of packages that
> only support the option the user didn't really want.

No, that's not *the* problem. LibreSSL vs OpenSSL is actually
the *least* problematic one since we intend to support them as
'drop-in-plus-rebuild' replacements.

The real problem is those fancy upstreams who believe they're doing
everyone a favor by providing the choice between multiple SSL
providers. This is what brings the real conflicts here, and this what
often loves to break stuff even further by introducing cross-package
implementation match requirements...

-- 
Best regards,
Michał Górny



pgp5RoMRt8T5V.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] ssl vs openssl vs libressl vs gnutls USE flag foo

2015-10-30 Thread hasufell 
On 10/30/2015 06:55 PM, Michał Górny wrote:
> 
> We have no way of saying 'I prefer polarssl, then gnutls, then
> libressl, and never openssl'.

I don't think this is something that can be reasonably supported and it
sounds awfully automagic. And I don't see how this is possible right
now, so I'm not really sure what you expect to get worse.

E.g. -gnutls pulling in dev-libs/openssl is not really something you'd
expect. If we go for provider USE flags, then things become consistent,
explicit and unambiguous. The only problem is our crappy implementation
of providers USE flags via REQUIRED_USE.

Re: [gentoo-dev] ssl vs openssl vs libressl vs gnutls USE flag foo

2015-10-30 Thread Rich Freeman 
On Fri, Oct 30, 2015 at 5:16 PM, Anthony G. Basile  wrote:
> On 10/30/15 3:35 PM, hasufell wrote:
>>
>> On 10/30/2015 06:55 PM, Michał Górny wrote:
>>>
>>> We have no way of saying 'I prefer polarssl, then gnutls, then
>>> libressl, and never openssl'.
>>
>> I don't think this is something that can be reasonably supported and it
>> sounds awfully automagic. And I don't see how this is possible right
>> now, so I'm not really sure what you expect to get worse.
>>
>> E.g. -gnutls pulling in dev-libs/openssl is not really something you'd
>> expect. If we go for provider USE flags, then things become consistent,
>> explicit and unambiguous. The only problem is our crappy implementation
>> of providers USE flags via REQUIRED_USE.
>>
> I'm not sure what mgorny has in mind, but the problem I see with saying I
> want just X to be my provider system wide is that some pkgs build with X
> others don't, other pkgs might need a different provider.  So it might make
> sense to order them in terms of preference: X1 > X2 > X3 ... and then when
> emerging a package, the first provider in the preference list that works is
> pulled in for that package.

I think that would be useful in general.  It would probably not be
useful in this case, since it was somebody's bright idea to make it
essentially impossible to install two of the options on the same
system (and that wasn't directed at hasufell).  Users could of course
still express the preference, but the PM would need to be smart enough
to ignore that preference on 95% of packages that support both options
so that it can take the lower preference on the 5% of packages that
only support the option the user didn't really want.

-- 
Rich

Re: [gentoo-dev] ssl vs openssl vs libressl vs gnutls USE flag foo

2015-10-30 Thread Michał Górny 
On Tue, 27 Oct 2015 22:46:35 -0400
Rich Freeman  wrote:

> On Tue, Oct 27, 2015 at 10:06 PM, hasufell  wrote:
> >
> > B) 1 feature flag, 3 strict provider flags
> > * ssl: enable any sort of SSL/TLS support
> > * gnutls: only to enable gnutls provided ssl support in case there
> >   is a choice
> > * openssl: only to enable openssl provided ssl support in case
> >there is a choice (should not be implemented as !gnutls?)
> > * libressl: only to enable libressl provided ssl support in case there
> > is a choice, must conflict with 'openssl' USE flag
> >
> > consequences:
> > * REQUIRED_USE="^^ ( openssl libressl )" is not only allowed, it is
> >   _mandatory_
> > * packages like media-video/ffmpeg _must_ switch the USE flag
> >   openssl->ssl to avoid breaking global USE flags
> > * !gnutls? ( dev-libs/openssl:0 ) will be bad form or even disallowed
> >
> > B will definitely be more work, but ofc is also a lot cleaner and
> > totally unambigous.
> >  
> 
> ++
> 
> The pain is for a short time.  Then we have to live with this for a
> long time.  USE flags should have one meaning.  The fact that this
> isn't the case right now is already a bug.  We don't need to
> perpetuate it.

No, the pain is neverending. You define a number of flags which are
scattered all over the place and there's practically no good value but
the 'default'.

We have no way of saying 'I prefer polarssl, then gnutls, then
libressl, and never openssl'. Whatever I put in USE, I'm going to hit
one kind of REQUIRED_USE issues, or other. And in the end, I end up
having huge package.use just to make things work.

How is that a 'short time' pain?

-- 
Best regards,
Michał Górny



pgpXyH0JsLm7J.pgp
Description: OpenPGP digital signature

Re: [gentoo-dev] ssl vs openssl vs libressl vs gnutls USE flag foo

2015-10-30 Thread Rich Freeman 
On Fri, Oct 30, 2015 at 1:55 PM, Michał Górny  wrote:
>>
>> The pain is for a short time.  Then we have to live with this for a
>> long time.  USE flags should have one meaning.  The fact that this
>> isn't the case right now is already a bug.  We don't need to
>> perpetuate it.
>
> No, the pain is neverending. You define a number of flags which are
> scattered all over the place and there's practically no good value but
> the 'default'.
>

My response was intended as a comparison of the two options presented,
which so far are the only options that have been suggested by anybody
that don't require EAPI changes.

I wasn't suggesting that there wasn't room for improvement in general.
However, short of banning libressl until EAPI7 and actually doing
something in EAPI7 this is our current best option.

-- 
Rich

Re: [gentoo-dev] ssl vs openssl vs libressl vs gnutls USE flag foo

2015-10-29 Thread Chí-Thanh Christopher Nguyễn 

hasufell schrieb:

I've seen a lot of ebuilds lately that use 'openssl' USE flag for the
purpose of enabling ssl features. I think this should be discouraged
since it introduces inconsistency and is especially confusing for
packages like media-video/ffmpeg, where'd you expect to get ssl support
by having the global ssl USE flag enabled.

Furthermore, some packages have started to do things like
REQUIRED_USE="^^ ( openssl libressl )"
which is even more inconsistent now and will make it very hard for
people to switch to libressl without figuring out a lot of blockers,
since we have conflicting meanings of 'openssl' now. One uses it as a
feature flag, the other as a provider flag.


It has been discussed before how to map this to USE flags[1], but that 
turned out to be quite difficult. Especially if you want to express 
something like "this package must use the same crypto library as its 
dependency".


REQUIRED_USE="^^ ( openssl libressl )" is one way to make things easy 
for the ebuild developer, but nasty for the user.


For the users, the easiest way would be to set USE="openssl libressl" 
(or some USE_EXPAND) if they are fine with any of these, but this makes 
depending on a package which must be built e.g. against libressl and not 
openssl hard.


Best regards,
Chí-Thanh Christopher Nguyễn


[1] 
https://archives.gentoo.org/gentoo-dev/message/3fd9df7fdd7ac976b87e4e15587bfa63

Re: [gentoo-dev] ssl vs openssl vs libressl vs gnutls USE flag foo

2015-10-28 Thread hasufell 
On 10/28/2015 09:36 AM, Alexis Ballier wrote:
> On Wed, 28 Oct 2015 03:06:59 +0100
> hasufell  wrote:
>> A is not that difficult. Most uses of 'openssl' can just be replaced
>> with 'ssl', others probably with '!gnutls?' even. A few exotic ones
>> might stay and we will have to advice users to set USE="openssl
>> libressl" instead of USE="-openssl libressl".
>> B will definitely be more work, but ofc is also a lot cleaner and
>> totally unambigous.
> 
> 
> You haven't taken into consideration the licence incompatibilities:
> http://www.gnu.org/licenses/license-list.en.html#OpenSSL
> it gets really messy for libraries: a gpl binary linking against a
>library linking against openssl means the binary can be
>redistributed, but not with such a library linked against openssl...
> 
> the point of the 'openssl' useflag is to have something that is not
> enabled by default and that can be used in RESTRICT="openssl?
> ( bindist )" expressions...
> 


You can just do RESTRICT="ssl? ( bindist )" and disable bindist by
default or vote for solution B.

Re: [gentoo-dev] ssl vs openssl vs libressl vs gnutls USE flag foo

2015-10-28 Thread Alexis Ballier 
On Wed, 28 Oct 2015 03:06:59 +0100
hasufell  wrote:
> A is not that difficult. Most uses of 'openssl' can just be replaced
> with 'ssl', others probably with '!gnutls?' even. A few exotic ones
> might stay and we will have to advice users to set USE="openssl
> libressl" instead of USE="-openssl libressl".
> B will definitely be more work, but ofc is also a lot cleaner and
> totally unambigous.


You haven't taken into consideration the licence incompatibilities:
http://www.gnu.org/licenses/license-list.en.html#OpenSSL
it gets really messy for libraries: a gpl binary linking against a
   library linking against openssl means the binary can be
   redistributed, but not with such a library linked against openssl...

the point of the 'openssl' useflag is to have something that is not
enabled by default and that can be used in RESTRICT="openssl?
( bindist )" expressions...

Re: [gentoo-dev] ssl vs openssl vs libressl vs gnutls USE flag foo

2015-10-27 Thread Rich Freeman 
On Tue, Oct 27, 2015 at 10:06 PM, hasufell  wrote:
>
> B) 1 feature flag, 3 strict provider flags
> * ssl: enable any sort of SSL/TLS support
> * gnutls: only to enable gnutls provided ssl support in case there
>   is a choice
> * openssl: only to enable openssl provided ssl support in case
>there is a choice (should not be implemented as !gnutls?)
> * libressl: only to enable libressl provided ssl support in case there
> is a choice, must conflict with 'openssl' USE flag
>
> consequences:
> * REQUIRED_USE="^^ ( openssl libressl )" is not only allowed, it is
>   _mandatory_
> * packages like media-video/ffmpeg _must_ switch the USE flag
>   openssl->ssl to avoid breaking global USE flags
> * !gnutls? ( dev-libs/openssl:0 ) will be bad form or even disallowed
>
> B will definitely be more work, but ofc is also a lot cleaner and
> totally unambigous.
>

++

The pain is for a short time.  Then we have to live with this for a
long time.  USE flags should have one meaning.  The fact that this
isn't the case right now is already a bug.  We don't need to
perpetuate it.

Honestly, this just seems like "the right thing" so if there isn't
opposition then I'd suggest to "just do it" and commit fixes to
ebuilds that need the fix (ie if maintainer doesn't respond to bug
quickly just take care of it).  If people object they should speak up
now, and we can take it up at the next council meeting if necessary
(which is right around the corner).

-- 
Rich

Re: [gentoo-dev] ssl vs openssl vs libressl vs gnutls USE flag foo

2015-10-27 Thread Gordon Pettey 
Is this not precisely what USE_EXPAND is supposed to be for? Take CURL_SSL
and make it generic...

On Tue, Oct 27, 2015 at 9:46 PM, Rich Freeman  wrote:

> On Tue, Oct 27, 2015 at 10:06 PM, hasufell  wrote:
> >
> > B) 1 feature flag, 3 strict provider flags
> > * ssl: enable any sort of SSL/TLS support
> > * gnutls: only to enable gnutls provided ssl support in case there
> >   is a choice
> > * openssl: only to enable openssl provided ssl support in case
> >there is a choice (should not be implemented as !gnutls?)
> > * libressl: only to enable libressl provided ssl support in case there
> > is a choice, must conflict with 'openssl' USE flag
> >
> > consequences:
> > * REQUIRED_USE="^^ ( openssl libressl )" is not only allowed, it is
> >   _mandatory_
> > * packages like media-video/ffmpeg _must_ switch the USE flag
> >   openssl->ssl to avoid breaking global USE flags
> > * !gnutls? ( dev-libs/openssl:0 ) will be bad form or even disallowed
> >
> > B will definitely be more work, but ofc is also a lot cleaner and
> > totally unambigous.
> >
>
> ++
>
> The pain is for a short time.  Then we have to live with this for a
> long time.  USE flags should have one meaning.  The fact that this
> isn't the case right now is already a bug.  We don't need to
> perpetuate it.
>
> Honestly, this just seems like "the right thing" so if there isn't
> opposition then I'd suggest to "just do it" and commit fixes to
> ebuilds that need the fix (ie if maintainer doesn't respond to bug
> quickly just take care of it).  If people object they should speak up
> now, and we can take it up at the next council meeting if necessary
> (which is right around the corner).
>
> --
> Rich
>
>