From nobody Sat Apr 1 00:36:52 2023
X-Original-To: arch@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4PpJBg4J8zz43Sqy
for <arch@mlmmj.nyi.freebsd.org>; Sat, 1 Apr 2023 00:36:59 +0000 (UTC)
(envelope-from kp@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (4096 bits) client-digest SHA256)
(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4PpJBg3cL4z44ls;
Sat, 1 Apr 2023 00:36:59 +0000 (UTC)
(envelope-from kp@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
t=1680309419;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=9Iyx5rvNlP3eCJ/7O4ERQfXL9QUP688aKBXuqpeC8KY=;
b=X4Vj941yuisgRCq6Xkiyo/7THYEw3SQAoksMjrpKdLETL2Ah1XkOQLAl1sO7zmTttg9hHj
dpNrbTrDXQL1zQDSbnjWU/pKxnJLIkweOOaZW1vuedK2rlwHNfQyfio9cIwkZSHWx2ehBQ
+5pdD7l1f4KW6FLWbx+Qd5PcGqTLDnIg3ItD83rblhDzDWH71ug9qENkPZ4UFPf8xNgu7d
SqgpOD0Qs3I2UgYV7KomkniGFQgqgnMHHtM7NgxaTRmrBWuccaPcusg6PYlG3N4wVfO5hD
lC+KJhNQpETW15Y0vPoSWSenXe2Od/0ncsok3ZIy47dwtINOd9nLPCyTXqYw7w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
s=dkim; t=1680309419;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=9Iyx5rvNlP3eCJ/7O4ERQfXL9QUP688aKBXuqpeC8KY=;
b=JC7qqkxWOPc+ZJIldmW1fle6yyRUURl42CFQxW+ObU8JauiVXJxrquwHHZywTN73QEOJmO
/uEbBQYLACaqV2mQcBD86QJcMVWUbTOrddmSU+6ArJWniwaqKo/N382ukLWbu4Ez9sMmOa
eei1DYpkLLAFSB+/WAetCEPzzcuaYckHM2ODn9t4JnSaSx61jix5idsQKVBA1GXjJbCrK/
pP1AmleWJbhMneEdeNj7f9V07ub+YjMe18BfZX33otH03cuwGu8UwVIjGAuvvJeJOKsCS6
uk9jHieoCblR0wKjK3drlzxn4CxnhqTaMUXGxqMMn/ZlhIgUZVqnFuhmNMIGNA==
ARC-Authentication-Results: i=1;
mx1.freebsd.org;
none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1680309419; a=rsa-sha256; cv=none;
b=aCd2XprcFQTj10MRhMs0alqNWp8u+EL7OPRFj9SSJ0zErJQ2ha2TL0UsFFfM5LCVaRzGrc
VsjqX0MiqweXDNe+508vQi8Z3O3ifwGgKxBH+ZMZV6otOQHolZYOWRsEgpJK1nyI+ebbhU
sRYb+BtkiYwF5hXlEEHSJxnnibYAN7iWgl4+gD32BhpFR85t/LZ03JJO3FWwkmeg69LFwm
xInCwegFcNT1tcYlYrLJFfOCBzUy+lh2iJan3paBbMblCG3neMDPOL4iTJHrBWprVRXiQm
oiTvbqahinJknyNWgaTfjP2PWUAQN1BJoYWMt/bEsZVVy7NLDbelz+Gb3cx05Q==
Received: from venus.codepro.be (venus.codepro.be [5.9.86.228])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "mx1.codepro.be", Issuer "R3" (verified OK))
(Authenticated sender: kp)
by smtp.freebsd.org (Postfix) with ESMTPSA id 4PpJBg1sJVzJNw;
Sat, 1 Apr 2023 00:36:59 +0000 (UTC)
(envelope-from kp@FreeBSD.org)
Received: by venus.codepro.be (Postfix, authenticated sender kp)
id A82ACE811;
Sat, 1 Apr 2023 02:36:56 +0200 (CEST)
From: Kristof Provost <kp@FreeBSD.org>
To: Ruslan Bukin <br@bsdpad.com>
Cc: John Baldwin <jhb@freebsd.org>, arch@freebsd.org
Subject: Re: Deprecate/remove riscv64sf
Date: Sat, 01 Apr 2023 09:36:52 +0900
X-Mailer: MailMate (1.14r5937)
Message-ID: <E7D252F3-5500-40A2-8E57-FAAD5237CAEE@FreeBSD.org>
In-Reply-To: <ZCc+YcM/iVCC73TK@bsdpad.com>
References: <629bf85d-4d48-17f5-cb26-dfd29f7e6ff7@FreeBSD.org>
<ZCc+YcM/iVCC73TK@bsdpad.com>
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-arch
List-Help: <mailto:freebsd-arch+help@freebsd.org>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Subscribe: <mailto:freebsd-arch+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-arch+unsubscribe@freebsd.org>
Sender: owner-freebsd-arch@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-ThisMailContainsUnwantedMimeParts: N
On 1 Apr 2023, at 5:11, Ruslan Bukin wrote:
> On Wed, Mar 29, 2023 at 11:17:21AM -0700, John Baldwin wrote:
>> Is anyone using riscv64sf? All of the existing RISC-V boards include =
hard-float
>> support as well as QEMU. The FPGA cores we use at Cambridge also all =
support
>> hard-float. My understanding is that glibc doesn't bother supporting =
soft-float
>> on RV64. If no one is using it (and has no plans to use it), then I p=
ropose
>> we drop it in 14.0 and save one more buildworld from make tinderbox.
>>
>
> The idea behind this was to support extensibility of architecture (whic=
h is one of the key features of RISC-V). So if F,D,Q extension is not imp=
lemented, then riscv64sf could be used. It could be that those times some=
simulators/emulators did not support these extensions, so riscv64sf crea=
ted (I could not remember).
> It could be some of new (synthesized) hardware or new emulators won't h=
ave support for this straight away. So in research&development perspectiv=
e it could be useful, in real life probably not for 64 bit.
>
That=E2=80=99s pretty much exactly how I used it a few years ago.
Given that that was a few years ago and that both hardware and software h=
ave moved on a bit since then I=E2=80=99d be inclined to just drop it tho=
ugh.
Kristof
From nobody Wed Apr 19 16:50:59 2023
X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q1myW3DWQz46BsB
for <freebsd-arch@mlmmj.nyi.freebsd.org>; Wed, 19 Apr 2023 16:51:15 +0000 (UTC)
(envelope-from carpeddiem@gmail.com)
Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com [209.85.208.173])
(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4Q1myT4CmDz3MxP
for <freebsd-arch@freebsd.org>; Wed, 19 Apr 2023 16:51:13 +0000 (UTC)
(envelope-from carpeddiem@gmail.com)
Authentication-Results: mx1.freebsd.org;
dkim=none;
spf=pass (mx1.freebsd.org: domain of carpeddiem@gmail.com designates 209.85.208.173 as permitted sender) smtp.mailfrom=carpeddiem@gmail.com;
dmarc=none
Received: by mail-lj1-f173.google.com with SMTP id r9so21272263ljp.9
for <freebsd-arch@freebsd.org>; Wed, 19 Apr 2023 09:51:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1681923071; x=1684515071;
h=content-transfer-encoding:to:subject:message-id:date:from
:mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=RtD1bevRtfYxAK64XnVi8afTYZXqW12Ui63UcE7GGmo=;
b=H6dMlbxs7bAxEpwqySJJhG81s2MgMu7HA+0VBvI2S7wpMoUAsS5tjS79968Q4b1tav
Wi6nPZJlNL7j8XG+qO1gdwXwoAI1FqbGEPZm8Qmj0ggalDTuOaMEm42jiZlVnuPwQcEd
34SUzXkeSPoxPoeys1BZPQK2TDmmGPpLWY0kU/6fhNejt3qPKJmrYg19atW8W6va8QX4
dX+DE9YVKPi4JUc+U9dx6rYbun8EPRKBqnnSX6BnRodCpunCYUDqUiYXsZzq1Hhjltcj
ZvS1El/pazprpHEmtuLAHnexGN2YZMSVC6dSAMPGZYMldWADFlHXwl5gRJj0U/UnxvaE
VD6g==
X-Gm-Message-State: AAQBX9dk4VgRI5yYV8oeEy4RFPP3YTU6CXizOXbX+rWItptDs9/Fd2of
twYzt+M07mA5QJJbgHSeaPLrfYxyM9DcWVBnckV3dyfoFwU=
X-Google-Smtp-Source: AKy350YRC/0zNUtDN5W7Y2GV8z6v0BLaH4PE9d3Yxf0Ok5MzCHtPEgR+YTOWF0MubPoo8tnvJJ7F89Iew5Z/QKV1bKE=
X-Received: by 2002:a2e:8788:0:b0:29a:9053:ed21 with SMTP id
n8-20020a2e8788000000b0029a9053ed21mr2141744lji.8.1681923070790; Wed, 19 Apr
2023 09:51:10 -0700 (PDT)
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-arch
List-Help: <mailto:freebsd-arch+help@freebsd.org>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Subscribe: <mailto:freebsd-arch+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-arch+unsubscribe@freebsd.org>
Sender: owner-freebsd-arch@freebsd.org
MIME-Version: 1.0
From: Ed Maste <emaste@freebsd.org>
Date: Wed, 19 Apr 2023 12:50:59 -0400
Message-ID: <CAPyFy2Afao5tnujFtwiF6avdkqAXRGDOTSq-JSCkHvvbfUvhaA@mail.gmail.com>
Subject: OpenSSL in the FreeBSD base system / FreeBSD 14
To: freebsd-arch <freebsd-arch@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spamd-Result: default: False [2.77 / 15.00];
NEURAL_SPAM_MEDIUM(1.00)[1.000];
NEURAL_SPAM_LONG(1.00)[1.000];
NEURAL_SPAM_SHORT(0.77)[0.770];
FORGED_SENDER(0.30)[emaste@freebsd.org,carpeddiem@gmail.com];
R_SPF_ALLOW(-0.20)[+ip4:209.85.128.0/17];
MIME_GOOD(-0.10)[text/plain];
RCVD_IN_DNSWL_NONE(0.00)[209.85.208.173:from];
MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org];
ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US];
MIME_TRACE(0.00)[0:+];
RCVD_COUNT_TWO(0.00)[2];
RWL_MAILSPIKE_POSSIBLE(0.00)[209.85.208.173:from];
R_DKIM_NA(0.00)[];
FROM_NEQ_ENVFROM(0.00)[emaste@freebsd.org,carpeddiem@gmail.com];
TO_DN_ALL(0.00)[];
RCVD_TLS_LAST(0.00)[];
FROM_HAS_DN(0.00)[];
FREEFALL_USER(0.00)[carpeddiem];
ARC_NA(0.00)[];
FREEMAIL_ENVFROM(0.00)[gmail.com];
TO_MATCH_ENVRCPT_ALL(0.00)[];
DMARC_NA(0.00)[freebsd.org];
PREVIOUSLY_DELIVERED(0.00)[freebsd-arch@freebsd.org];
RCPT_COUNT_ONE(0.00)[1];
TO_DOM_EQ_FROM_DOM(0.00)[]
X-Rspamd-Queue-Id: 4Q1myT4CmDz3MxP
X-Spamd-Bar: ++
X-ThisMailContainsUnwantedMimeParts: N
There have been a few discussions on this topic in different venues,
but we should consolidate the discussion on a public mailing list.
This email represents a summary of the issues and the current state;
we=E2=80=99ll discuss next steps in follow-up mail.
FreeBSD 14 is coming soon, and one outstanding task is dealing with
OpenSSL in the base system. The base system currently has OpenSSL
1.1.1, and it will be EOL as of 2023-09-11.
There are two related issues:
- The base system needs to migrate from OpenSSL 1.1.1.
- The ports collection currently makes use of OpenSSL provided by the
base system by default, with some exceptions.
Changing the base system OpenSSL into a privatelib would decouple
these two, so that the base system and ports can migrate to OpenSSL 3
(or even to other implementations) on their own schedules. We have a
number of privatelibs today, like libevent, that are used by the base
system but not by ports. All OpenSSL-using ports will need
security/openssl (or another openssl port).
A related issue is base system libraries that depend on OpenSSL would
also need to be made private. This includes gssapi, heimdal, and
libfetch.
This leaves the actual task of updating OpenSSL in the base system,
which is complicated because we use bespoke build infrastructure in
crypto/openssl/ rather than the upstream build bits. For better or
worse this is the typical case for all of our contrib software, but
OpenSSL is particularly tricky as it makes use of a large number of
generated files, and those files are generated using Perl and perhaps
other tools that are not available in the FreeBSD base system. Porting
this to the base system is not insurmountable, but requires a fairly
large amount of tedious work.
This should serve as a snapshot of where we are today and a starting
point for discussion; we=E2=80=99ll formulate a list of specific tasks in a
follow-up.
From nobody Wed Apr 19 22:08:42 2023
X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q1w0y3PVYz45JDK
for <freebsd-arch@mlmmj.nyi.freebsd.org>; Wed, 19 Apr 2023 22:08:50 +0000 (UTC)
(envelope-from kostikbel@gmail.com)
Received: from kib.kiev.ua (kib.kiev.ua [IPv6:2001:470:d5e7:1::1])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
(Client did not present a certificate)
by mx1.freebsd.org (Postfix) with ESMTPS id 4Q1w0x3h34z3rNm;
Wed, 19 Apr 2023 22:08:49 +0000 (UTC)
(envelope-from kostikbel@gmail.com)
Authentication-Results: mx1.freebsd.org;
none
Received: from tom.home (kib@localhost [127.0.0.1])
by kib.kiev.ua (8.17.1/8.17.1) with ESMTPS id 33JM8gFn080594
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO);
Thu, 20 Apr 2023 01:08:45 +0300 (EEST)
(envelope-from kostikbel@gmail.com)
DKIM-Filter: OpenDKIM Filter v2.10.3 kib.kiev.ua 33JM8gFn080594
Received: (from kostik@localhost)
by tom.home (8.17.1/8.17.1/Submit) id 33JM8gCN080593;
Thu, 20 Apr 2023 01:08:42 +0300 (EEST)
(envelope-from kostikbel@gmail.com)
X-Authentication-Warning: tom.home: kostik set sender to kostikbel@gmail.com using -f
Date: Thu, 20 Apr 2023 01:08:42 +0300
From: Konstantin Belousov <kostikbel@gmail.com>
To: Ed Maste <emaste@freebsd.org>
Cc: freebsd-arch <freebsd-arch@freebsd.org>
Subject: Re: OpenSSL in the FreeBSD base system / FreeBSD 14
Message-ID: <ZEBmahjXXlvtzP-L@kib.kiev.ua>
References: <CAPyFy2Afao5tnujFtwiF6avdkqAXRGDOTSq-JSCkHvvbfUvhaA@mail.gmail.com>
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-arch
List-Help: <mailto:freebsd-arch+help@freebsd.org>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Subscribe: <mailto:freebsd-arch+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-arch+unsubscribe@freebsd.org>
Sender: owner-freebsd-arch@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAPyFy2Afao5tnujFtwiF6avdkqAXRGDOTSq-JSCkHvvbfUvhaA@mail.gmail.com>
X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED,BAYES_00,
DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FROM,
NML_ADSP_CUSTOM_MED autolearn=no autolearn_force=no version=4.0.0
X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on tom.home
X-Rspamd-Queue-Id: 4Q1w0x3h34z3rNm
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:6939, ipnet:2001:470::/32, country:US]
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-ThisMailContainsUnwantedMimeParts: N
On Wed, Apr 19, 2023 at 12:50:59PM -0400, Ed Maste wrote:
> A related issue is base system libraries that depend on OpenSSL would
> also need to be made private. This includes gssapi, heimdal, and
> libfetch.
Does ssh and pam in the base depend on the base openssl?
If yes, then it still leaks into the applications despite being private.
For instance,
/usr/lib/pam_ssh.so.6:
libprivatessh.so.5 => /usr/lib/libprivatessh.so.5 (0x80148b000)
libpam.so.6 => /usr/lib/libpam.so.6 (0x80154d000)
libc.so.7 => /lib/libc.so.7 (0x801083000)
libprivateldns.so.5 => /usr/lib/libprivateldns.so.5 (0x80155d000)
libcrypto.so.111 => /lib/libcrypto.so.111 (0x801e00000)
From nobody Thu Apr 20 13:14:27 2023
X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q2J646KRRz463vJ
for <freebsd-arch@mlmmj.nyi.freebsd.org>; Thu, 20 Apr 2023 13:14:36 +0000 (UTC)
(envelope-from Joerg.Pulz@frm2.tum.de)
Received: from mailhost.frm2.tum.de (mailhost.frm2.tum.de [IPv6:2001:4ca0:2403::81bb:b30c])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (4096 bits) client-digest SHA256)
(Client CN "mailhost.frm2.tum.de", Issuer "DFN-Verein Global Issuing CA" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4Q2J635FM4z3JVq
for <freebsd-arch@freebsd.org>; Thu, 20 Apr 2023 13:14:35 +0000 (UTC)
(envelope-from Joerg.Pulz@frm2.tum.de)
Authentication-Results: mx1.freebsd.org;
dkim=pass header.d=frm2.tum.de header.s=s2048 header.b=Ce9j7Qc9;
spf=pass (mx1.freebsd.org: domain of Joerg.Pulz@frm2.tum.de designates 2001:4ca0:2403::81bb:b30c as permitted sender) smtp.mailfrom=Joerg.Pulz@frm2.tum.de;
dmarc=pass (policy=none) header.from=tum.de
Received: from mailhost.frm2.tum.de (localhost [127.0.0.1])
by mailhost.frm2.tum.de (8.16.1/8.15.2) with ESMTP id 33KDE91k049012
for <freebsd-arch@freebsd.org>; Thu, 20 Apr 2023 15:14:32 +0200 (CEST)
(envelope-from Joerg.Pulz@frm2.tum.de)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=frm2.tum.de; s=s2048;
t=1681996472; bh=ggvzLTirRKGHk44em9JOfPvdNXxn08mOOJAq98ckQ9U=;
h=Date:From:To:Subject:In-Reply-To:References;
b=Ce9j7Qc9YyhcYl2NlCtH7Njt/9I/nTKJlWOjJE7l3JxmsW2PaefxFupSZpisNsL2b
h7NGNqP102/j6++P6ZCZqh6k7xaqWnYA6YX7R0QeNElR/hN3z1mQs5/0MD0y6q5ebk
KYwsZC5YXjTTEYR/HEaQS7H5vs4DlvrWf9YsrEm86plM7GFoqRYXc+5oGWrl0cZbWR
xBi0tXWtidKOw9IEVxiRQJqjFp4H9x8+6+x5YnfZJDGo7qOeFwsEmsd/f20lhUAZNO
XMuIK4jEW6ceJZaNgE8YaKXqsU+mIwyZceNbqEJpdOmmoQFvK5s9Ske23o5cITQuGw
5Dp3fDx2+YTCA==
X-Virus-Scanned: at mailhost.frm2.tum.de
Received: from hades.admin.frm2.tum.de (hades.admin.frm2.tum.de [172.25.1.10])
(authenticated bits=0)
by mailhost.frm2.tum.de (8.16.1/8.15.2) with ESMTPSA id 33KDERqY049064
(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT)
for <freebsd-arch@freebsd.org>; Thu, 20 Apr 2023 15:14:27 +0200 (CEST)
(envelope-from Joerg.Pulz@frm2.tum.de)
Date: Thu, 20 Apr 2023 15:14:27 +0200 (CEST)
From: Joerg Pulz <Joerg.Pulz@frm2.tum.de>
To: freebsd-arch <freebsd-arch@freebsd.org>
Subject: Re: OpenSSL in the FreeBSD base system / FreeBSD 14
In-Reply-To: <CAPyFy2Afao5tnujFtwiF6avdkqAXRGDOTSq-JSCkHvvbfUvhaA@mail.gmail.com>
Message-ID: <nycvar.OFS.7.77.840.2304201411080.78141@unqrf.nqzva.sez2.ghz.qr>
References: <CAPyFy2Afao5tnujFtwiF6avdkqAXRGDOTSq-JSCkHvvbfUvhaA@mail.gmail.com>
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-arch
List-Help: <mailto:freebsd-arch+help@freebsd.org>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Subscribe: <mailto:freebsd-arch+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-arch+unsubscribe@freebsd.org>
Sender: owner-freebsd-arch@freebsd.org
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="3469798045-263270738-1681996467=:78141"
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.4 (mailhost.frm2.tum.de [129.187.179.12]); Thu, 20 Apr 2023 15:14:27 +0200 (CEST)
X-Spamd-Result: default: False [-7.10 / 15.00];
SIGNED_SMIME(-2.00)[];
DWL_DNSWL_LOW(-1.00)[tum.de:dkim];
NEURAL_HAM_LONG(-1.00)[-1.000];
NEURAL_HAM_MEDIUM(-1.00)[-1.000];
NEURAL_HAM_SHORT(-1.00)[-0.998];
DMARC_POLICY_ALLOW(-0.50)[tum.de,none];
MIME_GOOD(-0.20)[multipart/signed,text/plain];
R_SPF_ALLOW(-0.20)[+ip6:2001:4ca0:2403::81bb:b30c];
R_DKIM_ALLOW(-0.20)[frm2.tum.de:s=s2048];
RCVD_IN_DNSWL_NONE(0.00)[2001:4ca0:2403::81bb:b30c:from];
RCVD_VIA_SMTP_AUTH(0.00)[];
MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org];
DKIM_TRACE(0.00)[frm2.tum.de:+];
MIME_TRACE(0.00)[0:+,1:+,2:~];
FROM_EQ_ENVFROM(0.00)[];
TO_DN_ALL(0.00)[];
RCPT_COUNT_ONE(0.00)[1];
RCVD_TLS_LAST(0.00)[];
FROM_HAS_DN(0.00)[];
ARC_NA(0.00)[];
RCVD_COUNT_THREE(0.00)[3];
TO_MATCH_ENVRCPT_ALL(0.00)[];
PREVIOUSLY_DELIVERED(0.00)[freebsd-arch@freebsd.org];
HAS_ATTACHMENT(0.00)[];
ASN(0.00)[asn:12816, ipnet:2001:4ca0::/32, country:DE]
X-Rspamd-Queue-Id: 4Q2J635FM4z3JVq
X-Spamd-Bar: -------
X-ThisMailContainsUnwantedMimeParts: N
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
--3469798045-263270738-1681996467=:78141
Content-Type: text/plain; charset=US-ASCII; format=flowed
On Wed, 19 Apr 2023, Ed Maste wrote:
> There have been a few discussions on this topic in different venues,
> but we should consolidate the discussion on a public mailing list.
> This email represents a summary of the issues and the current state;
> we?ll discuss next steps in follow-up mail.
>
> FreeBSD 14 is coming soon, and one outstanding task is dealing with
> OpenSSL in the base system. The base system currently has OpenSSL
> 1.1.1, and it will be EOL as of 2023-09-11.
>
> There are two related issues:
>
> - The base system needs to migrate from OpenSSL 1.1.1.
> - The ports collection currently makes use of OpenSSL provided by the
> base system by default, with some exceptions.
>
> Changing the base system OpenSSL into a privatelib would decouple
> these two, so that the base system and ports can migrate to OpenSSL 3
> (or even to other implementations) on their own schedules. We have a
> number of privatelibs today, like libevent, that are used by the base
> system but not by ports. All OpenSSL-using ports will need
> security/openssl (or another openssl port).
>
> A related issue is base system libraries that depend on OpenSSL would
> also need to be made private. This includes gssapi, heimdal, and
> libfetch.
>
> This leaves the actual task of updating OpenSSL in the base system,
> which is complicated because we use bespoke build infrastructure in
> crypto/openssl/ rather than the upstream build bits. For better or
> worse this is the typical case for all of our contrib software, but
> OpenSSL is particularly tricky as it makes use of a large number of
> generated files, and those files are generated using Perl and perhaps
> other tools that are not available in the FreeBSD base system. Porting
> this to the base system is not insurmountable, but requires a fairly
> large amount of tedious work.
>
> This should serve as a snapshot of where we are today and a starting
> point for discussion; we?ll formulate a list of specific tasks in a
> follow-up.
Would the OpenSSL privatelib change mean that it's no longer possible to
build and link base software against libs from ports given that those libs
are linked to OpenSSL from ports then?
e.g. link base Sendmail (with OpenSSL privatelib) with libsasl from
security/cyrus-sasl2 and libldap from net/openldap26-client which are then
linked with libssl an libcrypto from security/openssl
or
link base Heimdal (with OpenSSL privatelib) with libldap from
net/openldap26-client which is then linked with libssl an libcrypto
from security/openssl
Both examples above are maybe not common but in use by myself since
"ages".
If such setups will no longer work with OpenSSL privatelib and updating
OpenSSL in base is such a complicated, heavy and time consuming task, one
could ask - why use OpenSSL instead of one other SSL implementation in
base at all?
This is not a rant against OpenSSL but if any other implementation
provides the same as OpenSSL for base with a compatible license and an
easier update path for the long term why not switch completely?
If it's then private in base (and of no use outside) anyway nobody
outside base should care what it is.
Joerg
--
The beginning is the most important part of the work.
-Plato
--3469798045-263270738-1681996467=:78141
Content-Type: application/pkcs7-signature; name=smime.p7s
Content-Transfer-Encoding: BASE64
Content-Description: S/MIME Cryptographic Signature
Content-Disposition: attachment; filename=smime.p7s
MIIUKAYJKoZIhvcNAQcCoIIUGTCCFBUCAQExDzANBglghkgBZQMEAgEFADAL
BgkqhkiG9w0BBwGgghE7MIIFrDCCBJSgAwIBAgIHG2O60B4sPTANBgkqhkiG
9w0BAQsFADCBlTELMAkGA1UEBhMCREUxRTBDBgNVBAoTPFZlcmVpbiB6dXIg
Rm9lcmRlcnVuZyBlaW5lcyBEZXV0c2NoZW4gRm9yc2NodW5nc25ldHplcyBl
LiBWLjEQMA4GA1UECxMHREZOLVBLSTEtMCsGA1UEAxMkREZOLVZlcmVpbiBD
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAyMB4XDTE2MDUyNDExMzg0MFoXDTMx
MDIyMjIzNTk1OVowgY0xCzAJBgNVBAYTAkRFMUUwQwYDVQQKDDxWZXJlaW4g
enVyIEZvZXJkZXJ1bmcgZWluZXMgRGV1dHNjaGVuIEZvcnNjaHVuZ3NuZXR6
ZXMgZS4gVi4xEDAOBgNVBAsMB0RGTi1QS0kxJTAjBgNVBAMMHERGTi1WZXJl
aW4gR2xvYmFsIElzc3VpbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCdO3kcR94fhsvGadcQnjnX2aIw23IcBX8pX0to8a0Z1kzhaxux
C3+hq+B7i4vYLc5uiDoQ7lflHn8EUTbrunBtY6C+li5A4dGDTGY9HGRp5Zuk
rXKuaDlRh3nMF9OuL11jcUs5eutCp5eQaQW/kP+kQHC9A+e/nhiIH5+ZiE0O
R41IX2WZENLZKkntwbktHZ8SyxXTP38eVC86rpNXp354ytVK4hrl7UF9U1/I
syr1ijCs7RcFJD+2oAsH/U0amgNSoDac3iSHZeTn+seWcyQUzdDoG2ieGFmu
dn730Qp4PIdLsDfPU8o6OBDzy0dtjGQ9PFpFSrrKgHy48+enTEzNAgMBAAGj
ggIFMIICATASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjAp
BgNVHSAEIjAgMA0GCysGAQQBga0hgiweMA8GDSsGAQQBga0hgiwBAQQwHQYD
VR0OBBYEFGs6mIv58lOJ2uCtsjIeCR/oqjt0MB8GA1UdIwQYMBaAFJPj2DIm
2tXxSqWRSuDqS+KiDM/hMIGPBgNVHR8EgYcwgYQwQKA+oDyGOmh0dHA6Ly9j
ZHAxLnBjYS5kZm4uZGUvZ2xvYmFsLXJvb3QtZzItY2EvcHViL2NybC9jYWNy
bC5jcmwwQKA+oDyGOmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZ2xvYmFsLXJv
b3QtZzItY2EvcHViL2NybC9jYWNybC5jcmwwgd0GCCsGAQUFBwEBBIHQMIHN
MDMGCCsGAQUFBzABhidodHRwOi8vb2NzcC5wY2EuZGZuLmRlL09DU1AtU2Vy
dmVyL09DU1AwSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUv
Z2xvYmFsLXJvb3QtZzItY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0MEoGCCsG
AQUFBzAChj5odHRwOi8vY2RwMi5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWcy
LWNhL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEA
gXhFpE6kfw5V8Amxaj54zGg1qRzzlZ4/8/jfazh3iSyNta0+x/KUzaAGrrrM
qLGtMwi2JIZiNkx4blDw1W5gjU9SMUOXRnXwYuRuZlHBQjFnUOVJ5zkey5/K
hkjeCBT/FUsrZpugOJ8Azv2n69F/Vy3ITF/cEBGXPpYEAlyEqCk5bJT8EJIG
e57u2Ea0G7UDDDjZ3LCpP3EGC7IDBzPCjUhjJSU8entXbveKBTjvuKCuL/Tb
B9VbhBjBqbhLzmyQGoLkuT36d/HSHzMCv1PndvncJiVBby+mG/qkE5D6fH7Z
C2Bd7L/KQaBh+xFJKdioLXUV2EoY6hbvVTQiGhONBjCCBRIwggP6oAMCAQIC
CQDjC9X4ryXZgTANBgkqhkiG9w0BAQsFADCBgjELMAkGA1UEBhMCREUxKzAp
BgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAd
BgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVs
ZVNlYyBHbG9iYWxSb290IENsYXNzIDIwHhcNMTYwMjIyMTMzODIyWhcNMzEw
MjIyMjM1OTU5WjCBlTELMAkGA1UEBhMCREUxRTBDBgNVBAoTPFZlcmVpbiB6
dXIgRm9lcmRlcnVuZyBlaW5lcyBEZXV0c2NoZW4gRm9yc2NodW5nc25ldHpl
cyBlLiBWLjEQMA4GA1UECxMHREZOLVBLSTEtMCsGA1UEAxMkREZOLVZlcmVp
biBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAyMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAy2DX/2ahQc3S+oeXinOrmU3qZzlaoWCARxVOjJWy
5c/O01dLjc74VmwVVXYH6kb9yANFYz5w1KtUgLEjnL43KKkJ/wVdGA/EmJk3
syD2ZngXh8KdDsxKMucWna4OjSl5BwAgVNwVX0qW13i2NNPBdLWd6b/Ad03q
vVkH4FovbDylANw1vWUNj38ybfJaaktiAe6sODRZRTZJBdp4ymptW8CBaxHM
0jyoi/hxGso74oDdFrRneos26k6RKT2zUVytqAy+nTTj0Q0Xg3XEOR6wlAsS
8dVpjiX0uD0rv8COwx47pb9VEKsqrheXXjPOyPP0CQfjAoYxRmsBxRAMEcdZ
6QIDAQABo4IBdDCCAXAwDgYDVR0PAQH/BAQDAgEGMB0GA1UdDgQWBBST49gy
JtrV8UqlkUrg6kviogzP4TAfBgNVHSMEGDAWgBS/WSA2AHmgoCJrjNXyYdK4
LMuCSjASBgNVHRMBAf8ECDAGAQH/AgECMDMGA1UdIAQsMCowDwYNKwYBBAGB
rSGCLAEBBDANBgsrBgEEAYGtIYIsHjAIBgZngQwBAgIwTAYDVR0fBEUwQzBB
oD+gPYY7aHR0cDovL3BraTAzMzYudGVsZXNlYy5kZS9ybC9UZWxlU2VjX0ds
b2JhbFJvb3RfQ2xhc3NfMi5jcmwwgYYGCCsGAQUFBwEBBHoweDAsBggrBgEF
BQcwAYYgaHR0cDovL29jc3AwMzM2LnRlbGVzZWMuZGUvb2NzcHIwSAYIKwYB
BQUHMAKGPGh0dHA6Ly9wa2kwMzM2LnRlbGVzZWMuZGUvY3J0L1RlbGVTZWNf
R2xvYmFsUm9vdF9DbGFzc18yLmNlcjANBgkqhkiG9w0BAQsFAAOCAQEAhwv/
PgKbZchWLdY7mpiLcU/auimqIflGLvWypA+uETh5OLMOdLp2XZ7oGIKWYttM
M+jd+WrfMr0sTEdgVX/ndGu0LIPYeWu2t01QC2YHte2zl63q7n8w5pn9IuJy
TT6EW+75z5nqf9dSOS6smABEfmk7v3Xu0As7Gs3l9w8ibEeE9qVHoP3QGjR9
rdI9d7Pu9NdN/8Po5ZJPWT6QRxBKsIVYwG9/+K7tCEKeHtTfFC5Nj7yelMPn
7fYY+DxJ5yaopzbYLN4izYuC2Nl44lUSozuHRLYRC9UMUq9pjA8G39CiU4tX
mHvP/Qck9Py9w/1KkgKXG/K3ts9lihqitXIZOTCCBnEwggVZoAMCAQICDCMa
UN4einMCRUHbtTANBgkqhkiG9w0BAQsFADCBjTELMAkGA1UEBhMCREUxRTBD
BgNVBAoMPFZlcmVpbiB6dXIgRm9lcmRlcnVuZyBlaW5lcyBEZXV0c2NoZW4g
Rm9yc2NodW5nc25ldHplcyBlLiBWLjEQMA4GA1UECwwHREZOLVBLSTElMCMG
A1UEAwwcREZOLVZlcmVpbiBHbG9iYWwgSXNzdWluZyBDQTAeFw0yMDA2MzAw
NTUzMjBaFw0yMzA2MzAwNTUzMjBaMIHrMQswCQYDVQQGEwJERTEPMA0GA1UE
CAwGQmF5ZXJuMREwDwYDVQQHDAhNdWVuY2hlbjEpMCcGA1UECgwgVGVjaG5p
c2NoZSBVbml2ZXJzaXRhZXQgTXVlbmNoZW4xQTA/BgNVBAsMOEZvcnNjaHVu
Z3MtTmV1dHJvbmVucXVlbGxlIEhlaW56IE1haWVyLUxlaWJuaXR6IChGUk0g
SUkpMQ4wDAYDVQQLDAViSVRUUzETMBEGA1UEAwwKSm9lcmcgUHVsejElMCMG
CSqGSIb3DQEJARYWSm9lcmcuUHVsekBmcm0yLnR1bS5kZTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAN1rXukpQBGvzfx1S+9NthDG5SGTdVSx
cgiOpZ7i90iMn6edz1LHHCwKzPRk9DtbC3XsB+frkxxUGavAjhWnX0tp/oV+
zgwsF6G0pa2iedw0aMqqakHRo/2i0/x3l7o23hTL48Tmeq3KXPyKKsTZqOGP
YidIfyUILqyhizYwpKY1dpRVpYj92M7ULbNCghMw8uKtEXMz9cwG0ZxyPh0Z
2ipItdFBQO7rZr3iS2xpgCm1at3tJ9NX4MyXc7I6mLI4JW3hUSCTZp/smtMg
ztk4MzMoKKqGsWICK8C9V3hEhM8rFxJnf2z8FOMs74jpYspOLslI+mY5OlZS
tL0MRvtlItMCAwEAAaOCAm8wggJrMD4GA1UdIAQ3MDUwDwYNKwYBBAGBrSGC
LAEBBDAQBg4rBgEEAYGtIYIsAQEEBzAQBg4rBgEEAYGtIYIsAgEEBzAJBgNV
HRMEAjAAMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
KwYBBQUHAwQwHQYDVR0OBBYEFJTuHcZtF06pQ9pQdYSDZXYytRFVMB8GA1Ud
IwQYMBaAFGs6mIv58lOJ2uCtsjIeCR/oqjt0MEEGA1UdEQQ6MDiBFkpvZXJn
LlB1bHpAZnJtMi50dW0uZGWBHkpvZXJnLlB1bHpAZnJtMi50dS1tdWVuY2hl
bi5kZTCBjQYDVR0fBIGFMIGCMD+gPaA7hjlodHRwOi8vY2RwMS5wY2EuZGZu
LmRlL2Rmbi1jYS1nbG9iYWwtZzIvcHViL2NybC9jYWNybC5jcmwwP6A9oDuG
OWh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZGZuLWNhLWdsb2JhbC1nMi9wdWIv
Y3JsL2NhY3JsLmNybDCB2wYIKwYBBQUHAQEEgc4wgcswMwYIKwYBBQUHMAGG
J2h0dHA6Ly9vY3NwLnBjYS5kZm4uZGUvT0NTUC1TZXJ2ZXIvT0NTUDBJBggr
BgEFBQcwAoY9aHR0cDovL2NkcDEucGNhLmRmbi5kZS9kZm4tY2EtZ2xvYmFs
LWcyL3B1Yi9jYWNlcnQvY2FjZXJ0LmNydDBJBggrBgEFBQcwAoY9aHR0cDov
L2NkcDIucGNhLmRmbi5kZS9kZm4tY2EtZ2xvYmFsLWcyL3B1Yi9jYWNlcnQv
Y2FjZXJ0LmNydDANBgkqhkiG9w0BAQsFAAOCAQEAMakvj2oaj3AZR4Y7NrOt
tDX/9/CF+w4bYT3U37cex1lQ7QVn/1zfeicAjwhCHN8ujFFjXT6eVvG0wUZi
ofGM9bvBQTlbj6NuZ0mpQwJ1henC28W10nKDZdFZGBIkLlRy4MtHr4c95+b/
Xmp795t1hwsutxUxgbzW1UwzVzmw2QveMIbeXvibxNXBDsBTkwTi3444+LVI
ot43ccvunvz9WM9RicWKfO5eK3dTpJVsUYexcljGwOJlRet971cevOxqq5Z9
lH6+8yQL4IOAXvu7zMl+qUZE1/4mPpiNlsJxbpTqsWbHYumI9PqZo3vxUVjw
moEqkg96xTj0lDJwzkmzMjGCArEwggKtAgEBMIGeMIGNMQswCQYDVQQGEwJE
RTFFMEMGA1UECgw8VmVyZWluIHp1ciBGb2VyZGVydW5nIGVpbmVzIERldXRz
Y2hlbiBGb3JzY2h1bmdzbmV0emVzIGUuIFYuMRAwDgYDVQQLDAdERk4tUEtJ
MSUwIwYDVQQDDBxERk4tVmVyZWluIEdsb2JhbCBJc3N1aW5nIENBAgwjGlDe
HopzAkVB27UwDQYJYIZIAWUDBAIBBQCggeQwGAYJKoZIhvcNAQkDMQsGCSqG
SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjMwNDIwMTMxNDI3WjAvBgkqhkiG
9w0BCQQxIgQg34CgL3T3N5MVWrIBIXQzWtTpkjDGwqtgU6RDVgUozXAweQYJ
KoZIhvcNAQkPMWwwajALBglghkgBZQMEASowCwYJYIZIAWUDBAEWMAsGCWCG
SAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcN
AwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAE
ggEAoM7XPJqAwq79G5fafd/9hKzVtVUthsJNcnOeZAx2UaZHR03ROlOEmxsU
PYLTPQwTESbWceTyIn+JXSTuVrFOHiO8Ih6oMduBMnFFjV+H8rwKWvQ5OYKf
PEBgbE0J1NtCZBySjPANOYNLCWsMtsNaQkFX/lD36ct1PTX3ZkT1bzQOFSo/
MT2si0J5A/Acz0y2Wk/7kdre4RZ764d89+7M2BMYF30p59bcbTjUGapxUH+5
V1XmlzEKPyCJjOLgNVUpApBh0rIHfKol2wpvyNx55PJm3BoXUgxTt1V10vX4
ZR1/KxF3evnvw0HnAbT3i1O/zXMqc+v5KKo/Q6N2enJNXA==
--3469798045-263270738-1681996467=:78141--
From nobody Thu Apr 20 18:46:08 2023
X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q2RSt6Nc8z46RW0
for <freebsd-arch@mlmmj.nyi.freebsd.org>; Thu, 20 Apr 2023 18:46:22 +0000 (UTC)
(envelope-from carpeddiem@gmail.com)
Received: from mail-lj1-f173.google.com (mail-lj1-f173.google.com [209.85.208.173])
(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (2048 bits) client-digest SHA256)
(Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4Q2RSt36Kkz4Nx1
for <freebsd-arch@freebsd.org>; Thu, 20 Apr 2023 18:46:22 +0000 (UTC)
(envelope-from carpeddiem@gmail.com)
Authentication-Results: mx1.freebsd.org;
none
Received: by mail-lj1-f173.google.com with SMTP id y24so3889402ljm.6
for <freebsd-arch@freebsd.org>; Thu, 20 Apr 2023 11:46:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20221208; t=1682016381; x=1684608381;
h=cc:to:subject:message-id:date:from:in-reply-to:references
:mime-version:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=IfuOu1kRRts21FqgJy58QPNclJlbnWa+vs1Mqo1ROzk=;
b=DiVJXEacyYNmJqGmPHn7GAxeh+j2XR1u1yMOgRShpmZ/jc/IOPbZpEf85Z5NDeGRnZ
YYgCXHf1/z6YMfDwuUmfQc2/wuSjEc+FtKrNRnXxb5IIqhD0m3Dr41yExlZTTp91cJXR
LpXqxhkspQ9yaIuFFJn778voePiX8MdE96EE3/6j9S6cZWL9xws4MSrIyP2o05YekM3+
dXhaKuJtP8dXdqxwOA3S51CYH4jxGdSm7lU/crijhgTKA1SkhmuYy814G09jwpUbIRWn
GkgDl7NOvCKHAId5zcfEQxIlgAzs7ClXN4eEXgH+VAW/1OS/CPlapy7Yw82aXqv41+No
XakA==
X-Gm-Message-State: AAQBX9eS4FHcQzQhFGBmkNguhUYmsj5r3IfwmxJ2IlaIwcz0nX252lW6
umu7A1+a4u3zVbU1UcCmkUMgAw741Dokxnq81umOImyO
X-Google-Smtp-Source: AKy350YIu1hsIM0qtycmINH5ijcpfMmg0pePKfbiXj8FUx0GDIo4/N1Cp6CFBLLjFqGNC8jbJFFVXmeYmUPc0iKceq0=
X-Received: by 2002:a2e:3511:0:b0:298:6ffd:e856 with SMTP id
z17-20020a2e3511000000b002986ffde856mr651722ljz.8.1682016380586; Thu, 20 Apr
2023 11:46:20 -0700 (PDT)
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-arch
List-Help: <mailto:freebsd-arch+help@freebsd.org>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Subscribe: <mailto:freebsd-arch+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-arch+unsubscribe@freebsd.org>
Sender: owner-freebsd-arch@freebsd.org
MIME-Version: 1.0
References: <CAPyFy2Afao5tnujFtwiF6avdkqAXRGDOTSq-JSCkHvvbfUvhaA@mail.gmail.com>
<nycvar.OFS.7.77.840.2304201411080.78141@unqrf.nqzva.sez2.ghz.qr>
In-Reply-To: <nycvar.OFS.7.77.840.2304201411080.78141@unqrf.nqzva.sez2.ghz.qr>
From: Ed Maste <emaste@freebsd.org>
Date: Thu, 20 Apr 2023 14:46:08 -0400
Message-ID: <CAPyFy2DQsNLXmELTun6n590opjcAom-3MQE_jKda7AU4LdcGGg@mail.gmail.com>
Subject: Re: OpenSSL in the FreeBSD base system / FreeBSD 14
To: Joerg Pulz <Joerg.Pulz@frm2.tum.de>
Cc: freebsd-arch <freebsd-arch@freebsd.org>
Content-Type: text/plain; charset="UTF-8"
X-Rspamd-Queue-Id: 4Q2RSt36Kkz4Nx1
X-Spamd-Bar: ----
X-Spamd-Result: default: False [-4.00 / 15.00];
REPLY(-4.00)[];
ASN(0.00)[asn:15169, ipnet:209.85.128.0/17, country:US]
X-Rspamd-Pre-Result: action=no action;
module=replies;
Message is reply to one we originated
X-ThisMailContainsUnwantedMimeParts: N
On Thu, 20 Apr 2023 at 09:14, Joerg Pulz <Joerg.Pulz@frm2.tum.de> wrote:
>
> Would the OpenSSL privatelib change mean that it's no longer possible to
> build and link base software against libs from ports given that those libs
> are linked to OpenSSL from ports then?
>
> e.g. link base Sendmail (with OpenSSL privatelib) with libsasl from
> security/cyrus-sasl2 and libldap from net/openldap26-client which are then
> linked with libssl an libcrypto from security/openssl
>
> or
>
> link base Heimdal (with OpenSSL privatelib) with libldap from
> net/openldap26-client which is then linked with libssl an libcrypto
> from security/openssl
>
> Both examples above are maybe not common but in use by myself since
> "ages".
Yes, I believe privatelib would preclude use cases like this.
The problem is that we have conflicting constraints: OpenSSL 1.1.1 is
EOL shortly after 14.0 releases, and there are ports that do not yet
build against OpenSSL 3. I am not sure how much will be broken if we
update the base system to OpenSSL 3 but leave the privatelib aside
(i.e., have the base system provide OpenSSL 3 to ports).
> If such setups will no longer work with OpenSSL privatelib and updating
> OpenSSL in base is such a complicated, heavy and time consuming task, one
> could ask - why use OpenSSL instead of one other SSL implementation in
> base at all?
This is a good question, and is something that's been discussed on
occasion. The base system has some components that depend on OpenSSL
right now. If we switch to privatelib it is quite possible that we'll
migrate those to something else over time.
From nobody Thu Apr 20 20:20:32 2023
X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q2TYk5FL6z46XR6
for <freebsd-arch@mlmmj.nyi.freebsd.org>; Thu, 20 Apr 2023 20:20:42 +0000 (UTC)
(envelope-from Joerg.Pulz@frm2.tum.de)
Received: from mailhost.frm2.tum.de (mailhost.frm2.tum.de [IPv6:2001:4ca0:2403::81bb:b30c])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
client-signature RSA-PSS (4096 bits) client-digest SHA256)
(Client CN "mailhost.frm2.tum.de", Issuer "DFN-Verein Global Issuing CA" (verified OK))
by mx1.freebsd.org (Postfix) with ESMTPS id 4Q2TYj55YLz4Fpc
for <freebsd-arch@freebsd.org>; Thu, 20 Apr 2023 20:20:41 +0000 (UTC)
(envelope-from Joerg.Pulz@frm2.tum.de)
Authentication-Results: mx1.freebsd.org;
dkim=pass header.d=frm2.tum.de header.s=s2048 header.b=HdfBQkIN;
spf=pass (mx1.freebsd.org: domain of Joerg.Pulz@frm2.tum.de designates 2001:4ca0:2403::81bb:b30c as permitted sender) smtp.mailfrom=Joerg.Pulz@frm2.tum.de;
dmarc=pass (policy=none) header.from=tum.de
Received: from mailhost.frm2.tum.de (localhost [127.0.0.1])
by mailhost.frm2.tum.de (8.16.1/8.15.2) with ESMTP id 33KKKXTg072494
for <freebsd-arch@freebsd.org>; Thu, 20 Apr 2023 22:20:33 +0200 (CEST)
(envelope-from Joerg.Pulz@frm2.tum.de)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=frm2.tum.de; s=s2048;
t=1682022033; bh=mI9B/+3zi6KNguT613cUKbkkpcJkKOiYLddSdSH3ArI=;
h=Date:From:To:Subject;
b=HdfBQkINtCd48GU2dQbDMiaq5/9iDqjo3x+pslVyO7bxPal42fmWx6vqbkhXz/+/g
uF3k9Nrau9ewoETNIaK53cl8Ols6is6OIN6NjtBnp4X8/z3Jf7tWqaXRQrNGxqBNH6
RWEfZJaCcwz4FnuwM01Gml/m1ysR5+09oVjbHGein19HW8FZVZC/SrzqpwtB3B0ozM
ivOx6JKBtLWVY0TBaqUovacx5J08PzuE+YzUUAO5/I7BYRY1hOCvnc+Llh4zO8sjwT
veuM9F0HfNM3H1GceappoVAKug9oTCTo6fxa0oK/7SAyfHuUjXBnQrIOmldJ7Vegop
hLJ2iK93yveeQ==
X-Virus-Scanned: at mailhost.frm2.tum.de
Received: from be-hermes.frm2.tum.de (be-hermes.frm2.tum.de [129.187.179.150])
(authenticated bits=0)
by mailhost.frm2.tum.de (8.16.1/8.15.2) with ESMTPSA id 33KKKWF0072486
(version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
for <freebsd-arch@freebsd.org>; Thu, 20 Apr 2023 22:20:32 +0200 (CEST)
(envelope-from Joerg.Pulz@frm2.tum.de)
Received: from p200300E62F0Abc00050D940A9ADe10B8.dip0.t-ipconnect.de
(p200300E62F0Abc00050D940A9ADe10B8.dip0.t-ipconnect.de
[2003:e6:2f0a:bc00:50d:940a:9ade:10b8]) by hermes.frm2.tum.de (Horde
Framework) with HTTP; Thu, 20 Apr 2023 22:20:32 +0200
Date: Thu, 20 Apr 2023 22:20:32 +0200
Message-ID: <20230420222032.Horde.TjfVLV5zjaBVDFUN8c4quQ1@hermes.frm2.tum.de>
From: "Pulz, Joerg" <Joerg.Pulz@frm2.tum.de>
To: freebsd-arch@freebsd.org
Subject: Re: OpenSSL in the FreeBSD base system / FreeBSD 14
User-Agent: Horde Application Framework 5
Content-Type: multipart/signed; boundary="=_ou2VcL1qBUBk3ljp3BSBmg1";
protocol="application/pkcs7-signature"; micalg=sha-1
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-arch
List-Help: <mailto:freebsd-arch+help@freebsd.org>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Subscribe: <mailto:freebsd-arch+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-arch+unsubscribe@freebsd.org>
Sender: owner-freebsd-arch@freebsd.org
MIME-Version: 1.0
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.4 (mailhost.frm2.tum.de [129.187.179.12]); Thu, 20 Apr 2023 22:20:32 +0200 (CEST)
X-Spamd-Result: default: False [-6.09 / 15.00];
SIGNED_SMIME(-2.00)[];
NEURAL_HAM_MEDIUM(-1.00)[-1.000];
FAKE_REPLY(1.00)[];
DWL_DNSWL_LOW(-1.00)[tum.de:dkim];
NEURAL_HAM_LONG(-1.00)[-1.000];
NEURAL_HAM_SHORT(-0.99)[-0.987];
DMARC_POLICY_ALLOW(-0.50)[tum.de,none];
R_DKIM_ALLOW(-0.20)[frm2.tum.de:s=s2048];
MIME_GOOD(-0.20)[multipart/signed,text/plain];
R_SPF_ALLOW(-0.20)[+ip6:2001:4ca0:2403::81bb:b30c];
TO_MATCH_ENVRCPT_ALL(0.00)[];
RCPT_COUNT_ONE(0.00)[1];
FROM_HAS_DN(0.00)[];
PREVIOUSLY_DELIVERED(0.00)[freebsd-arch@freebsd.org];
RCVD_VIA_SMTP_AUTH(0.00)[];
ASN(0.00)[asn:12816, ipnet:2001:4ca0::/32, country:DE];
RCVD_TLS_LAST(0.00)[];
RCVD_COUNT_THREE(0.00)[4];
TO_DN_NONE(0.00)[];
HAS_ATTACHMENT(0.00)[];
ARC_NA(0.00)[];
MID_RHS_MATCH_FROMTLD(0.00)[];
FROM_EQ_ENVFROM(0.00)[];
DKIM_TRACE(0.00)[frm2.tum.de:+];
MIME_TRACE(0.00)[0:+,1:+,2:~];
MLMMJ_DEST(0.00)[freebsd-arch@freebsd.org]
X-Rspamd-Queue-Id: 4Q2TYj55YLz4Fpc
X-Spamd-Bar: ------
X-ThisMailContainsUnwantedMimeParts: N
This is a cryptographically signed message in MIME format.
--=_ou2VcL1qBUBk3ljp3BSBmg1
Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, 20 Apr 2023 14:46:08 -0400, Ed Maste <emaste@freebsd.org> wrote:
> On Thu, 20 Apr 2023 at 09:14, Joerg Pulz <Joerg.Pulz@frm2.tum.de> wrote:
>>
>> Would the OpenSSL privatelib change mean that it's no longer possible to
>> build and link base software against libs from ports given that those li=
bs
>> are linked to OpenSSL from ports then?
>>
>> e.g. link base Sendmail (with OpenSSL privatelib) with libsasl from
>> security/cyrus-sasl2 and libldap from net/openldap26-client which are th=
en
>> linked with libssl an libcrypto from security/openssl
>>
>> or
>>
>> link base Heimdal (with OpenSSL privatelib) with libldap from
>> net/openldap26-client which is then linked with libssl an libcrypto
>> from security/openssl
>>
>> Both examples above are maybe not common but in use by myself since
>> "ages".
>
> Yes, I believe privatelib would preclude use cases like this.
>
> The problem is that we have conflicting constraints: OpenSSL 1.1.1 is
> EOL shortly after 14.0 releases, and there are ports that do not yet
> build against OpenSSL 3. I am not sure how much will be broken if we
> update the base system to OpenSSL 3 but leave the privatelib aside
> (i.e., have the base system provide OpenSSL 3 to ports).
>
>> If such setups will no longer work with OpenSSL privatelib and updating
>> OpenSSL in base is such a complicated, heavy and time consuming task, on=
e
>> could ask - why use OpenSSL instead of one other SSL implementation in
>> base at all?
>
> This is a good question, and is something that's been discussed on
> occasion. The base system has some components that depend on OpenSSL
> right now. If we switch to privatelib it is quite possible that we'll
> migrate those to something else over time.
Due to the EOL of OpenSSL 1.1.1 I see only one "quick" solution for=20=20
base=20- update base to the next OpenSSL LTS release 3.0 supported until=20=
=20
7th=20September 2026. There is not that much time left for this task,=20=20
right?
Ports=20incompatible with OpenSSL 3.0 will break anyway or is there a=20=20
plan=20to keep the EOLed and then unsupported OpenSSL 1.1.1 in ports=20=20
just=20to keep everything building? That would be a strange decision.
Shouldn't other vendors using OpenSSL (e.g. Linux distro's) suffer=20=20
from=20the same situation - forced to update OpenSSL but third-party=20=20
software/packages=20not ready for this?
IMO primarily upstream of the affected ports has to fix it's stuff to=20=20
build=20against a supported (not EOLed) OpenSSL version.
Are there "exp-run for OpenSSL 3" results somewhere for an overview=20=20
about=20all then broken ports?
I for myself would postpone the privatelib step to a later=20=20
point/release=20(15?).
Early in the development phase for 15 there should be a discussion and=20=
=20
decision=20about keeping OpenSSL at all in base or switch to something=20=
=20
else=20better maintainable.
Joerg
--=20
J=C3=B6rg Pulz
Gruppenleiter - IT Infrastruktur (bITTS)
Technische Universit=C3=A4t M=C3=BCnchen
Forschungs-Neutronenquelle Heinz Maier-Leibnitz (FRM II)
Lichtenbergstrasse 1
85748 Garching
Tel. +49 89 289 14708
Fax +49 89 289 14666
Joerg.Pulz@frm2.tum.de
https://www.frm2.tum.de/
--=_ou2VcL1qBUBk3ljp3BSBmg1
Content-Type: application/pkcs7-signature; name=smime.p7s
Content-Description: S/MIME Signature
Content-Disposition: attachment; filename=smime.p7s
Content-Transfer-Encoding: base64
MIIXtAYJKoZIhvcNAQcCoIIXpTCCF6ECAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCFQIw
ggZxMIIFWaADAgECAgwjGlDeHopzAkVB27UwDQYJKoZIhvcNAQELBQAwgY0xCzAJBgNVBAYTAkRF
MUUwQwYDVQQKDDxWZXJlaW4genVyIEZvZXJkZXJ1bmcgZWluZXMgRGV1dHNjaGVuIEZvcnNjaHVu
Z3NuZXR6ZXMgZS4gVi4xEDAOBgNVBAsMB0RGTi1QS0kxJTAjBgNVBAMMHERGTi1WZXJlaW4gR2xv
YmFsIElzc3VpbmcgQ0EwHhcNMjAwNjMwMDU1MzIwWhcNMjMwNjMwMDU1MzIwWjCB6zELMAkGA1UE
BhMCREUxDzANBgNVBAgMBkJheWVybjERMA8GA1UEBwwITXVlbmNoZW4xKTAnBgNVBAoMIFRlY2hu
aXNjaGUgVW5pdmVyc2l0YWV0IE11ZW5jaGVuMUEwPwYDVQQLDDhGb3JzY2h1bmdzLU5ldXRyb25l
bnF1ZWxsZSBIZWlueiBNYWllci1MZWlibml0eiAoRlJNIElJKTEOMAwGA1UECwwFYklUVFMxEzAR
BgNVBAMMCkpvZXJnIFB1bHoxJTAjBgkqhkiG9w0BCQEWFkpvZXJnLlB1bHpAZnJtMi50dW0uZGUw
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDda17pKUARr838dUvvTbYQxuUhk3VUsXII
jqWe4vdIjJ+nnc9SxxwsCsz0ZPQ7Wwt17Afn65McVBmrwI4Vp19Laf6Ffs4MLBehtKWtonncNGjK
qmpB0aP9otP8d5e6Nt4Uy+PE5nqtylz8iirE2ajhj2InSH8lCC6soYs2MKSmNXaUVaWI/djO1C2z
QoITMPLirRFzM/XMBtGccj4dGdoqSLXRQUDu62a94ktsaYAptWrd7SfTV+DMl3OyOpiyOCVt4VEg
k2af7JrTIM7ZODMzKCiqhrFiAivAvVd4RITPKxcSZ39s/BTjLO+I6WLKTi7JSPpmOTpWUrS9DEb7
ZSLTAgMBAAGjggJvMIICazA+BgNVHSAENzA1MA8GDSsGAQQBga0hgiwBAQQwEAYOKwYBBAGBrSGC
LAEBBAcwEAYOKwYBBAGBrSGCLAIBBAcwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0l
BBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMB0GA1UdDgQWBBSU7h3GbRdOqUPaUHWEg2V2MrURVTAf
BgNVHSMEGDAWgBRrOpiL+fJTidrgrbIyHgkf6Ko7dDBBBgNVHREEOjA4gRZKb2VyZy5QdWx6QGZy
bTIudHVtLmRlgR5Kb2VyZy5QdWx6QGZybTIudHUtbXVlbmNoZW4uZGUwgY0GA1UdHwSBhTCBgjA/
oD2gO4Y5aHR0cDovL2NkcDEucGNhLmRmbi5kZS9kZm4tY2EtZ2xvYmFsLWcyL3B1Yi9jcmwvY2Fj
cmwuY3JsMD+gPaA7hjlodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2Rmbi1jYS1nbG9iYWwtZzIvcHVi
L2NybC9jYWNybC5jcmwwgdsGCCsGAQUFBwEBBIHOMIHLMDMGCCsGAQUFBzABhidodHRwOi8vb2Nz
cC5wY2EuZGZuLmRlL09DU1AtU2VydmVyL09DU1AwSQYIKwYBBQUHMAKGPWh0dHA6Ly9jZHAxLnBj
YS5kZm4uZGUvZGZuLWNhLWdsb2JhbC1nMi9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwSQYIKwYBBQUH
MAKGPWh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZGZuLWNhLWdsb2JhbC1nMi9wdWIvY2FjZXJ0L2Nh
Y2VydC5jcnQwDQYJKoZIhvcNAQELBQADggEBADGpL49qGo9wGUeGOzazrbQ1//fwhfsOG2E91N+3
HsdZUO0FZ/9c33onAI8IQhzfLoxRY10+nlbxtMFGYqHxjPW7wUE5W4+jbmdJqUMCdYXpwtvFtdJy
g2XRWRgSJC5UcuDLR6+HPefm/15qe/ebdYcLLrcVMYG81tVMM1c5sNkL3jCG3l74m8TVwQ7AU5ME
4t+OOPi1SKLeN3HL7p78/VjPUYnFinzuXit3U6SVbFGHsXJYxsDiZUXrfe9XHrzsaquWfZR+vvMk
C+CDgF77u8zJfqlGRNf+Jj6YjZbCcW6U6rFmx2LpiPT6maN78VFY8JqBKpIPesU49JQycM5JszIw
ggWsMIIElKADAgECAgcbY7rQHiw9MA0GCSqGSIb3DQEBCwUAMIGVMQswCQYDVQQGEwJERTFFMEMG
A1UEChM8VmVyZWluIHp1ciBGb2VyZGVydW5nIGVpbmVzIERldXRzY2hlbiBGb3JzY2h1bmdzbmV0
emVzIGUuIFYuMRAwDgYDVQQLEwdERk4tUEtJMS0wKwYDVQQDEyRERk4tVmVyZWluIENlcnRpZmlj
YXRpb24gQXV0aG9yaXR5IDIwHhcNMTYwNTI0MTEzODQwWhcNMzEwMjIyMjM1OTU5WjCBjTELMAkG
A1UEBhMCREUxRTBDBgNVBAoMPFZlcmVpbiB6dXIgRm9lcmRlcnVuZyBlaW5lcyBEZXV0c2NoZW4g
Rm9yc2NodW5nc25ldHplcyBlLiBWLjEQMA4GA1UECwwHREZOLVBLSTElMCMGA1UEAwwcREZOLVZl
cmVpbiBHbG9iYWwgSXNzdWluZyBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ07
eRxH3h+Gy8Zp1xCeOdfZojDbchwFfylfS2jxrRnWTOFrG7ELf6Gr4HuLi9gtzm6IOhDuV+UefwRR
Nuu6cG1joL6WLkDh0YNMZj0cZGnlm6Stcq5oOVGHecwX064vXWNxSzl660Knl5BpBb+Q/6RAcL0D
57+eGIgfn5mITQ5HjUhfZZkQ0tkqSe3BuS0dnxLLFdM/fx5ULzquk1enfnjK1UriGuXtQX1TX8iz
KvWKMKztFwUkP7agCwf9TRqaA1KgNpzeJIdl5Of6x5ZzJBTN0OgbaJ4YWa52fvfRCng8h0uwN89T
yjo4EPPLR22MZD08WkVKusqAfLjz56dMTM0CAwEAAaOCAgUwggIBMBIGA1UdEwEB/wQIMAYBAf8C
AQEwDgYDVR0PAQH/BAQDAgEGMCkGA1UdIAQiMCAwDQYLKwYBBAGBrSGCLB4wDwYNKwYBBAGBrSGC
LAEBBDAdBgNVHQ4EFgQUazqYi/nyU4na4K2yMh4JH+iqO3QwHwYDVR0jBBgwFoAUk+PYMiba1fFK
pZFK4OpL4qIMz+EwgY8GA1UdHwSBhzCBhDBAoD6gPIY6aHR0cDovL2NkcDEucGNhLmRmbi5kZS9n
bG9iYWwtcm9vdC1nMi1jYS9wdWIvY3JsL2NhY3JsLmNybDBAoD6gPIY6aHR0cDovL2NkcDIucGNh
LmRmbi5kZS9nbG9iYWwtcm9vdC1nMi1jYS9wdWIvY3JsL2NhY3JsLmNybDCB3QYIKwYBBQUHAQEE
gdAwgc0wMwYIKwYBBQUHMAGGJ2h0dHA6Ly9vY3NwLnBjYS5kZm4uZGUvT0NTUC1TZXJ2ZXIvT0NT
UDBKBggrBgEFBQcwAoY+aHR0cDovL2NkcDEucGNhLmRmbi5kZS9nbG9iYWwtcm9vdC1nMi1jYS9w
dWIvY2FjZXJ0L2NhY2VydC5jcnQwSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUv
Z2xvYmFsLXJvb3QtZzItY2EvcHViL2NhY2VydC9jYWNlcnQuY3J0MA0GCSqGSIb3DQEBCwUAA4IB
AQCBeEWkTqR/DlXwCbFqPnjMaDWpHPOVnj/z+N9rOHeJLI21rT7H8pTNoAauusyosa0zCLYkhmI2
THhuUPDVbmCNT1IxQ5dGdfBi5G5mUcFCMWdQ5UnnOR7Ln8qGSN4IFP8VSytmm6A4nwDO/afr0X9X
LchMX9wQEZc+lgQCXISoKTlslPwQkgZ7nu7YRrQbtQMMONncsKk/cQYLsgMHM8KNSGMlJTx6e1du
94oFOO+4oK4v9NsH1VuEGMGpuEvObJAaguS5Pfp38dIfMwK/U+d2+dwmJUFvL6Yb+qQTkPp8ftkL
YF3sv8pBoGH7EUkp2KgtdRXYShjqFu9VNCIaE40GMIIFEjCCA/qgAwIBAgIJAOML1fivJdmBMA0G
CSqGSIb3DQEBCwUAMIGCMQswCQYDVQQGEwJERTErMCkGA1UECgwiVC1TeXN0ZW1zIEVudGVycHJp
c2UgU2VydmljZXMgR21iSDEfMB0GA1UECwwWVC1TeXN0ZW1zIFRydXN0IENlbnRlcjElMCMGA1UE
AwwcVC1UZWxlU2VjIEdsb2JhbFJvb3QgQ2xhc3MgMjAeFw0xNjAyMjIxMzM4MjJaFw0zMTAyMjIy
MzU5NTlaMIGVMQswCQYDVQQGEwJERTFFMEMGA1UEChM8VmVyZWluIHp1ciBGb2VyZGVydW5nIGVp
bmVzIERldXRzY2hlbiBGb3JzY2h1bmdzbmV0emVzIGUuIFYuMRAwDgYDVQQLEwdERk4tUEtJMS0w
KwYDVQQDEyRERk4tVmVyZWluIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IDIwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDLYNf/ZqFBzdL6h5eKc6uZTepnOVqhYIBHFU6MlbLlz87TV0uN
zvhWbBVVdgfqRv3IA0VjPnDUq1SAsSOcvjcoqQn/BV0YD8SYmTezIPZmeBeHwp0OzEoy5xadrg6N
KXkHACBU3BVfSpbXeLY008F0tZ3pv8B3Teq9WQfgWi9sPKUA3DW9ZQ2PfzJt8lpqS2IB7qw4NFlF
NkkF2njKam1bwIFrEczSPKiL+HEayjvigN0WtGd6izbqTpEpPbNRXK2oDL6dNOPRDReDdcQ5HrCU
CxLx1WmOJfS4PSu/wI7DHjulv1UQqyquF5deM87I8/QJB+MChjFGawHFEAwRx1npAgMBAAGjggF0
MIIBcDAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFJPj2DIm2tXxSqWRSuDqS+KiDM/hMB8GA1Ud
IwQYMBaAFL9ZIDYAeaCgImuM1fJh0rgsy4JKMBIGA1UdEwEB/wQIMAYBAf8CAQIwMwYDVR0gBCww
KjAPBg0rBgEEAYGtIYIsAQEEMA0GCysGAQQBga0hgiweMAgGBmeBDAECAjBMBgNVHR8ERTBDMEGg
P6A9hjtodHRwOi8vcGtpMDMzNi50ZWxlc2VjLmRlL3JsL1RlbGVTZWNfR2xvYmFsUm9vdF9DbGFz
c18yLmNybDCBhgYIKwYBBQUHAQEEejB4MCwGCCsGAQUFBzABhiBodHRwOi8vb2NzcDAzMzYudGVs
ZXNlYy5kZS9vY3NwcjBIBggrBgEFBQcwAoY8aHR0cDovL3BraTAzMzYudGVsZXNlYy5kZS9jcnQv
VGVsZVNlY19HbG9iYWxSb290X0NsYXNzXzIuY2VyMA0GCSqGSIb3DQEBCwUAA4IBAQCHC/8+Aptl
yFYt1juamItxT9q6Kaoh+UYu9bKkD64ROHk4sw50unZdnugYgpZi20wz6N35at8yvSxMR2BVf+d0
a7Qsg9h5a7a3TVALZge17bOXrerufzDmmf0i4nJNPoRb7vnPmep/11I5LqyYAER+aTu/de7QCzsa
zeX3DyJsR4T2pUeg/dAaNH2t0j13s+70103/w+jlkk9ZPpBHEEqwhVjAb3/4ru0IQp4e1N8ULk2P
vJ6Uw+ft9hj4PEnnJqinNtgs3iLNi4LY2XjiVRKjO4dEthEL1QxSr2mMDwbf0KJTi1eYe8/9ByT0
/L3D/UqSApcb8re2z2WKGqK1chk5MIIDwzCCAqugAwIBAgIBATANBgkqhkiG9w0BAQsFADCBgjEL
MAkGA1UEBhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgx
HzAdBgNVBAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9i
YWxSb290IENsYXNzIDIwHhcNMDgxMDAxMTA0MDE0WhcNMzMxMDAxMjM1OTU5WjCBgjELMAkGA1UE
BhMCREUxKzApBgNVBAoMIlQtU3lzdGVtcyBFbnRlcnByaXNlIFNlcnZpY2VzIEdtYkgxHzAdBgNV
BAsMFlQtU3lzdGVtcyBUcnVzdCBDZW50ZXIxJTAjBgNVBAMMHFQtVGVsZVNlYyBHbG9iYWxSb290
IENsYXNzIDIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCqX9obX+hzkeXaXPSi5kfl
82hVYAUdAqSzm1nzHoqvNK38DcLZSBnuaY/JIPwhqgcZ7bBcrGXHX+0CfHt8LRvWurmAwhiCFoT6
ZrAIxlQjgeTNuUk/9k9uN0goOA/FvudocP05l03Sx5iRUKrERLMjfTlH6VJi1hKTXrcxlkIF+3an
HqP1wvzpesVsqXFP6st4vGCvx9702cu+fjOlbpSD8DT6IavqjnKgP6TeMFvvhk1qlVtDRKgQFRzl
AVfFmPHmBiiRqiDFt1MmUUOyCxGVWOHAD3bZwI18gfNycJ5v/hqO2V81xrJvNHy+SE/iWjnX2J14
np+GPgNeGYtEotXHAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G
A1UdDgQWBBS/WSA2AHmgoCJrjNXyYdK4LMuCSjANBgkqhkiG9w0BAQsFAAOCAQEAMQOiYQsfdOhy
NsZt+U2e+iKo4YFWz827n+qrkRk4r6p8FU3ztqONpfSO9kSpp+ghla0+AGIWiPACuvxhI+YzmzB6
azZie60EI4RYZeLbK4rnJVM3YlNfvNoBYimipidx5joifsFvHZVwIEoHNN/q/xWA5brXethbdXwF
eilHfkCoMRN3zUA7tFFHei4R40cR3p1m0IvVVGb6g1XqfMIpiRvpb7PO4gWEyS8+eIVibslfwXhj
dFjASBgMmTnrpMwatXlajRWc2BQN9noHV8cigwUtPJslJj0Ys6lDfMjIq2SPDqO/nBudMNva0Bku
qjzx+zOAduTNrRlPBSeOE6FuwjGCAnowggJ2AgEBMIGeMIGNMQswCQYDVQQGEwJERTFFMEMGA1UE
Cgw8VmVyZWluIHp1ciBGb2VyZGVydW5nIGVpbmVzIERldXRzY2hlbiBGb3JzY2h1bmdzbmV0emVz
IGUuIFYuMRAwDgYDVQQLDAdERk4tUEtJMSUwIwYDVQQDDBxERk4tVmVyZWluIEdsb2JhbCBJc3N1
aW5nIENBAgwjGlDeHopzAkVB27UwCQYFKw4DAhoFAKCBsTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0yMzA0MjAyMDIwMzJaMCMGCSqGSIb3DQEJBDEWBBQXWZmHcg7K
gztumt/9kcNchnoAPzBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIA
gDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASC
AQBxjVWy4SwUqA3mK+a3h40b9Eks3HMKiaHkOMp1QwfwvIP6vKvGoFwQTSyTIuiYFBOIKlcIZRhX
ZjQy5fz0iWl6e3FQgH4i+4zAgjyxHs1a7R0lweRWyVaYvXePbgwGU2kh6E/ehNVQdbbUBdXoaUvR
H+AaWAMkm9i/z5TewSk8NT/9kXEJEZ7Jx9QoXiE8Ad8xYdVrg694lrJQIKBFDeHQgbgXPVQSd4qf
nJIOEysMLNboQ1Vkj9W5GwXu2SeYrEO4IWRXCZBBisGAGIiffutTEHtho+Pp13et0ErRMnM5wrXU
wKsI/wybcXqmj7EYuQd9ozFrBb2aJCbInPfC5QM6
--=_ou2VcL1qBUBk3ljp3BSBmg1--