Date: Tue, 2 May 2023 13:26:24 -0700 From: Enji Cooper <yaneurabeya@gmail.com> To: Warner Losh <imp@bsdimp.com> Cc: Cy Schubert <Cy.Schubert@cschubert.com>, Jung-uk Kim <jkim@freebsd.org>, Rene Ladan <rene@freebsd.org>, "A. Wilcox" <AWilcox@wilcox-tech.com>, FreeBSD-arch list <freebsd-arch@freebsd.org> Subject: Re: OpenSSL 3.0 for 14.0-RELEASE: issues with 1.x/3.x symbol clashing, ports linking against base OpenSSL, ports that don't compile/link against OpenSSL 3, etc Message-ID: <23456F78-20E0-4377-927A-BBF5FA3032F2@gmail.com> In-Reply-To: <CANCZdfrHsBotPYQsFUVoL6t%2BFVoXQZmNH7A3Ey=w3PBppsfOjw@mail.gmail.com> References: <C6F8DD52-348E-42D8-84DE-B3A399D2606F@gmail.com> <89371295-EA1D-4C29-8690-C5C7BE96B178@Wilcox-Tech.com> <eb7eddfe-5e7a-468d-e2fe-7b7ae6517aad@FreeBSD.org> <ZFC7s1Z8PxtRxgyR@freefall.freebsd.org> <deffec4c-8c34-b1e3-6820-2455db98c771@FreeBSD.org> <20230502120200.32c545e4@cschubert.com> <CANCZdfrHsBotPYQsFUVoL6t%2BFVoXQZmNH7A3Ey=w3PBppsfOjw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_9A2F367D-1ABE-4318-89EE-58B7D737D7FD Content-Type: multipart/alternative; boundary="Apple-Mail=_029E7826-EB43-408B-B735-56BAB21D8AC0" --Apple-Mail=_029E7826-EB43-408B-B735-56BAB21D8AC0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 > On May 2, 2023, at 12:47 PM, Warner Losh <imp@bsdimp.com> wrote: >=20 > On Tue, May 2, 2023 at 1:02=E2=80=AFPM Cy Schubert = <Cy.Schubert@cschubert.com <mailto:Cy.Schubert@cschubert.com>> wrote: > On Tue, 2 May 2023 10:42:32 -0400 > Jung-uk Kim <jkim@FreeBSD.org> wrote: ... > Agreed. Making OpenSSL private doesn't mitigate the security risks. (addressing this particular set of comments) Some groups with deep pockets have paid extra $$$ to keep limited 1.x = support alive for their internal use, so this is less of an issue for = them, but it=E2=80=99s definitely an issue for the OSS community. Some = groups also don=E2=80=99t have to deal with the technical and political = issues blocking package upgrades (QEMU_EMULATING), so it=E2=80=99s = easier to upgrade ports to versions that support OpenSSL 3; this = unfortunately isn=E2=80=99t true for FreeBSD given the number of = architectures and ports FreeBSD supports today. Making libraries private makes it more possible for various versions of = OpenSSL to coexist today with isolated components of a given system = ($work doesn=E2=80=99t support `pkg` on customer sites, but we use it = internally). This makes moving the codebase at $work iteratively from = OpenSSL 1.x to OpenSSL 3.x easier from a practical/risk perspective. It = doesn=E2=80=99t address the issue with shared process namespace = introduced by PAM, python, and other applications that work via = dlopen=E2=80=99ing openssl required libraries lazily, but it does solve = a class of problem. Adding FLAVORS support to ports could help address the other piece of = this puzzle in ports and would simultaneously add a great deal of = complexity to the package build matrix and dependencies as a whole = (FLAVORS would technically have to deal with base, 1.1, 3.0, 3.1, = libressl, bearssl, etc). This is something I considered and I would = definitely in support of happening _with the idea in mind that someone = with influence in the ports arena (I don=E2=80=99t have much in that = arena) would need to make these changes._ I=E2=80=99ve been impeded = enough when posting ports updates to support OpenSSL 3 in the python = arena that I=E2=80=99ve given up hope with my being able to scale fixing = all of the OpenSSL 3 related issues in ports [1]. I simply don=E2=80=99t = have the bandwidth to setup the environment and do the necessary work to = prove that what I=E2=80=99m doing won=E2=80=99t regress some form of = package building within the FreeBSD support matrix [2]. I started the discussion to highlight the fact that (as of right now) = the issues with OpenSSL 3 are less technical from a code uplift = perspective in base, and more because of technical issues introduced by = having ports rely on libraries being provided by the base system for = legacy reasons. I think I succeeded in achieving that much, but there = are some larger issues that need to be tackled first: - What should be done about ports that don=E2=80=99t support OpenSSL 3 = in the short-term and longterm? - When should the switch be flipped from OpenSSL 1.x to 3.x in base? - How will the FreeBSD project deal with OpenSSL 1.1 support on stable/ = branches with ports when upstream projects (inevitably) start pulling = OpenSSL 1.1 support from their projects [3]? Thank you, -Enji 1. FreeBSD ports updates are failure adverse instead of allowing for = failures to occur and pivoting quickly to iteratively fix problems in = ports. 2. FreeBSD doesn't have automated CI/CD for ports updates, so the = responsibility falls on the submitter=E2=80=99s shoulders to verify = their changes don=E2=80=99t break certain architectures, flavors, etc. 3. Keeping 1.1 support alive(ish) for stable/ is somewhat doable using = the DEPRECATED macros, however, it doesn=E2=80=99t resolve all potential = breaking issues when moving from 1.1 to 3.x. --Apple-Mail=_029E7826-EB43-408B-B735-56BAB21D8AC0 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 <html><head><meta http-equiv=3D"Content-Type" content=3D"text/html; = charset=3Dutf-8"></head><body style=3D"word-wrap: break-word; = -webkit-nbsp-mode: space; line-break: after-white-space;" class=3D""><br = class=3D""><div><blockquote type=3D"cite" class=3D""><div class=3D"">On = May 2, 2023, at 12:47 PM, Warner Losh <<a = href=3D"mailto:imp@bsdimp.com" class=3D"">imp@bsdimp.com</a>> = wrote:</div><div class=3D""><br style=3D"caret-color: rgb(0, 0, 0); = font-family: Helvetica; font-size: 12px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none;" class=3D""><div class=3D"gmail_quote" = style=3D"caret-color: rgb(0, 0, 0); font-family: Helvetica; font-size: = 12px; font-style: normal; font-variant-caps: normal; font-weight: 400; = letter-spacing: normal; text-align: start; text-indent: 0px; = text-transform: none; white-space: normal; word-spacing: 0px; = -webkit-text-stroke-width: 0px; text-decoration: none;"><div dir=3D"ltr" = class=3D"gmail_attr">On Tue, May 2, 2023 at 1:02=E2=80=AFPM Cy Schubert = <<a href=3D"mailto:Cy.Schubert@cschubert.com" = class=3D"">Cy.Schubert@cschubert.com</a>> wrote:<br = class=3D""></div><blockquote class=3D"gmail_quote" style=3D"margin: 0px = 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; = border-left-color: rgb(204, 204, 204); padding-left: 1ex;">On Tue, 2 May = 2023 10:42:32 -0400<br class=3D"">Jung-uk Kim <<a = href=3D"mailto:jkim@FreeBSD.org" class=3D"">jkim@FreeBSD.org</a>> = wrote:<br class=3D""></blockquote></div></div></blockquote><div><br = class=3D""></div><div>...</div><br class=3D""><blockquote type=3D"cite" = class=3D""><div class=3D"gmail_quote" style=3D"caret-color: rgb(0, 0, = 0); font-family: Helvetica; font-size: 12px; font-style: normal; = font-variant-caps: normal; font-weight: 400; letter-spacing: normal; = text-align: start; text-indent: 0px; text-transform: none; white-space: = normal; word-spacing: 0px; -webkit-text-stroke-width: 0px; = text-decoration: none;"><blockquote class=3D"gmail_quote" style=3D"margin:= 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-style: solid; = border-left-color: rgb(204, 204, 204); padding-left: 1ex;">Agreed. = Making OpenSSL private doesn't mitigate the security = risks.</blockquote></div></blockquote><br = class=3D""></div><div>(addressing this particular set of = comments)</div><div><br class=3D""></div><div>Some groups with deep = pockets have paid extra $$$ to keep limited 1.x support alive for their = internal use, so this is less of an issue for them, but it=E2=80=99s = definitely an issue for the OSS community. Some groups also don=E2=80=99t = have to deal with the technical and political issues blocking package = upgrades (QEMU_EMULATING), so it=E2=80=99s easier to upgrade ports to = versions that support OpenSSL 3; this unfortunately isn=E2=80=99t true = for FreeBSD given the number of architectures and ports FreeBSD supports = today.</div><div><br class=3D""></div><div>Making libraries private = makes it more possible for various versions of OpenSSL to coexist today = with isolated components of a given system ($work doesn=E2=80=99t = support `pkg` on customer sites, but we use it internally). This makes = moving the codebase at $work iteratively from OpenSSL 1.x to OpenSSL 3.x = easier from a practical/risk perspective. It doesn=E2=80=99t address the = issue with shared process namespace introduced by PAM, python, and other = applications that work via dlopen=E2=80=99ing openssl required libraries = lazily, but it does solve a class of problem.</div><div><br = class=3D""></div><div>Adding FLAVORS support to ports could help address = the other piece of this puzzle in ports and would simultaneously add a = great deal of complexity to the package build matrix and dependencies as = a whole (FLAVORS would technically have to deal with base, 1.1, 3.0, = 3.1, libressl, bearssl, etc). This is something I considered and I would = definitely in support of happening _with the idea in mind that someone = with influence in the ports arena (I don=E2=80=99t have much in that = arena) would need to make these changes._ I=E2=80=99ve been impeded = enough when posting ports updates to support OpenSSL 3 in the python = arena that I=E2=80=99ve given up hope with my being able to scale fixing = all of the OpenSSL 3 related issues in ports [1]. I simply don=E2=80=99t = have the bandwidth to setup the environment and do the necessary work to = prove that what I=E2=80=99m doing won=E2=80=99t regress some form of = package building within the FreeBSD support matrix [2].</div><div><br = class=3D""></div><div>I started the discussion to highlight the fact = that (as of right now) the issues with OpenSSL 3 are less technical from = a code uplift perspective in base, and more because of technical issues = introduced by having ports rely on libraries being provided by the base = system for legacy reasons. I think I succeeded in achieving that much, = but there are some larger issues that need to be tackled = first:</div><div><br class=3D""></div><div>- What should be done about = ports that don=E2=80=99t support OpenSSL 3 in the short-term and = longterm?</div><div>- When should the switch be flipped from OpenSSL 1.x = to 3.x in base?</div><div>- How will the FreeBSD project deal with = OpenSSL 1.1 support on stable/ branches with ports when upstream = projects (inevitably) start pulling OpenSSL 1.1 support from their = projects [3]?</div><div><br class=3D""></div><div>Thank = you,</div><div>-Enji</div><div><br class=3D""></div><div><span = style=3D"caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);" class=3D"">1. = FreeBSD ports updates are failure adverse instead of allowing for = failures to occur and pivoting quickly to iteratively fix problems in = ports.</span></div><div>2. <font color=3D"#000000" class=3D""><span = style=3D"caret-color: rgb(0, 0, 0);" class=3D"">FreeBSD doesn't have = automated CI/CD for ports updates, so the responsibility falls on the = submitter=E2=80=99s shoulders to verify their changes don=E2=80=99t = break certain architectures, flavors, etc.</span></font></div><div>3. = Keeping 1.1 support alive(ish) for stable/ is somewhat doable using the = DEPRECATED macros, however, it doesn=E2=80=99t resolve all potential = breaking issues when moving from 1.1 to 3.x.</div></body></html>= --Apple-Mail=_029E7826-EB43-408B-B735-56BAB21D8AC0-- --Apple-Mail=_9A2F367D-1ABE-4318-89EE-58B7D737D7FD Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEtvtxN6kOllEF3nmX5JFNMZeDGN4FAmRRcfAACgkQ5JFNMZeD GN6/uw/+KO8obtL7RaqTCE9qVVs6Uhg5gseQvy2Donz2iIV9Z9/JWjZPXAOmV1x8 v/vh3WUsblSPnLiNF/o++QS2b5easGpLlLq7jcbZMjJ76pCLaD8anBX0gXzTgFgE n7W6GwqCHp5FDqxoLeoGrTGVP3d+QYsNmlBEIdqYjDKUUwT1aYdUvg+tmsKzhHeO NOqg/+8aAyc1XO5jzi5ZYgl/YAgY+uu/ReaFYAKSr06X7YiE7dR2E/A8ejIcImHi zd4VTqoAL6ElxG6b/xan+GUUYLbw6Oqmw1nesrEoFGk/munzlQZrD1FqHBAgtUS/ gUIEL6iU+9jpLp6tMPHr5TRuw9oOtbUP1xqotAm4hTvWso+ZCqNJIPYUShYfr29I gyrIuH6Wtdc335vZuD1AhcF4wkBQAB+zR61+nnqNlaomahSbSeIMRXGg2A7vzadN jWPagnrHspA5Wg3AQRoOw1dIp2NUh2jPrkJpGjJV9v4iEukiqFhx2iaOGCThqtf3 G0BxEaMbxL82xTPid0WxzvNzgW+09KurIC1Wi2+p2llAtJ7pQF5dfE0rWdK7eZ5o vmHC33QzpZk3emUBCziarQMN3g6733gMn+ujjE+XwgJdOq3rAJMkt7Mcmcr3tUJD KQRKFMguGQyd1Hk1oWOwskg266pvugSnzIhQNY5VsJ6apeAILYY= =Ajkm -----END PGP SIGNATURE----- --Apple-Mail=_9A2F367D-1ABE-4318-89EE-58B7D737D7FD--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?23456F78-20E0-4377-927A-BBF5FA3032F2>