GNU bug report logs - #46602
Removing OpenSSL 1.0

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Package: guix; Reported by: Leo Famulari <leo@HIDDEN>; Keywords: security; dated Wed, 17 Feb 2021 21:27:01 UTC; Maintainer for guix is bug-guix@HIDDEN.

Message received at 46602 <at> debbugs.gnu.org:


Received: (at 46602) by debbugs.gnu.org; 25 Feb 2021 19:01:42 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Feb 25 14:01:41 2021
Received: from localhost ([127.0.0.1]:39347 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lFLtN-000163-Gd
	for submit <at> debbugs.gnu.org; Thu, 25 Feb 2021 14:01:41 -0500
Received: from mail-qt1-f176.google.com ([209.85.160.176]:37068)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <zimon.toutoune@HIDDEN>) id 1lFLtL-0000zm-Mt
 for 46602 <at> debbugs.gnu.org; Thu, 25 Feb 2021 14:01:40 -0500
Received: by mail-qt1-f176.google.com with SMTP id v3so4921321qtw.4
 for <46602 <at> debbugs.gnu.org>; Thu, 25 Feb 2021 11:01:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:references:in-reply-to:from:date:message-id:subject:to
 :cc; bh=a7UzCQdVMb05Tg/DoE3al4yXI1ERxPM7AisVAkIC+RU=;
 b=BEt7UCyhtfuvBe02UluAPfsSQk2bMl0ctl4Fat1yY/eaolbgzyT03y1fn7n9F/FXcM
 zoo/WFLA7LFqi8NmrwTwInF90RLocDhMnZmZpgieRlLQl8Q/FAAPQDXiip78FbOWVqyR
 nQTY9gngudZ8Mm2zM1wrsbIDJ0G38txL8M6Wb775RaynDen2GPOaDeDTtLfeZCkvsM9G
 mgcm77zzw+az7bMQ0P8exYhRdRy3OCLCl6gW6wDXEfUkJEEaSJaLtImtuoAgh+U/ALK6
 8GPZ4WtmLBtj+oSti8X0H/jR7+peGnd8yafeVC0stYqp5JPwRy4FPhtkp9VG+wo1X2Wq
 U2QA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:references:in-reply-to:from:date
 :message-id:subject:to:cc;
 bh=a7UzCQdVMb05Tg/DoE3al4yXI1ERxPM7AisVAkIC+RU=;
 b=kBQ/ofSwLXImTVFqq15KQNj7xEonOJ2atFDdTBFSzOPWLtexOdKt51RYHRNIMP6WH3
 3kziOrt8TrJRxwFk8wZ8pWr9ccYAF1vorVwWXl0g9J8c+p7IsYFGRfp9lYorPWHtzPTA
 hkSzte1FHC5Oshf+mQvdxInIcEIz/0PEJWjE4dxZtqFEu2DoRUN4msDC3PxTMF82lnmX
 7dXRMYsl+hmmkZw02wwIX8wVFSWBX+ZmnmB/B8uWrLdAvielXBZ5RHLA8SnbnanWKuu4
 tL0eFJ7ps/fViO1Vz5allv9boEj5ZsuD8OVQcXAB/uoxdutsgXAmz3YX4cgtJLgSvZF2
 WGfQ==
X-Gm-Message-State: AOAM532INyyznyGNGaM7Ds/Iy3CVpzLNinywY1yEy4S2IEXYwJQ/LpDJ
 zdFp6nHU7/cEOsb/xC0vzacYyhSqNh0DAbk9kx/gyZTMsrk=
X-Google-Smtp-Source: ABdhPJzGmFTGk//SuYEATFB9CT0ZlXaHwO6Wuv/jJoQ69Um0mMB7NRT4G3QmJQQxPp2vHsrlBJ3aFc6u2yI0sRyOt6w=
X-Received: by 2002:ac8:57c1:: with SMTP id w1mr3832579qta.313.1614279693914; 
 Thu, 25 Feb 2021 11:01:33 -0800 (PST)
MIME-Version: 1.0
References: <YC2KDCevazOXaZxZ@HIDDEN>
In-Reply-To: <YC2KDCevazOXaZxZ@HIDDEN>
From: zimoun <zimon.toutoune@HIDDEN>
Date: Thu, 25 Feb 2021 20:01:22 +0100
Message-ID: <CAJ3okZ0ZcrcXtB0BbcfDh1PxG2k9K455Nd4w=3tPSn-KzcAW6g@HIDDEN>
Subject: Re: bug#46602: Removing OpenSSL 1.0
To: Leo Famulari <leo@HIDDEN>
Content-Type: text/plain; charset="UTF-8"
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 46602
Cc: 46602 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Leo,

On Wed, 17 Feb 2021 at 22:43, Leo Famulari <leo@HIDDEN> wrote:
>
> OpenSSL 1.0 is no longer supported as free software. As research
> continues, new bugs are discovered and there are no fixes available.
>
> We should remove it soon. Since Qt 4 depends on it, we can remove them
> at the same time [0].
>
> Some packages will probably have to be removed, since they depend on
> OpenSSL 1.0 and have not been updated to use more recent versions.
>
> OpenSSL 1.0 is used in the Rust bootstrap, unfortunately, so we will
> have to preserve some package of it, but it will be hidden.

Well, it needs some care I guess.

$ guix refresh -l openssl@HIDDEN
Building the following 1930 packages would ensure 2048 dependent
packages are rebuilt

On the other hand, grepping for "openssl-1.0" returns:

16 matches
12 files contained matches
1522 files searched

File: distributed.scm
File: networking.scm
File: databases.scm
File: rust.scm
File: web-browsers.scm
File: android.scm
File: web.scm
File: crypto.scm
File: messaging.scm
File: ntp.scm
File: crates-io.scm
File: qt.scm

Therefore, a good start seems to try to build all the 16 packages
depending on openssl@HIDDEN with openssl@HIDDEN  And mark them with a
comment if they fail.  But I guess that openssl@HIDDEN is a strong
requirement for these 16 packages.

For instance, the package psyclpc (gnu packages messaging) could be
removed since it does not build and use openssl@HIDDEN

Cheers,
simon
Information forwarded to bug-guix@HIDDEN:
bug#46602; Package guix. Full text available.
Added tag(s) security. Request was from Ludovic Courtès <ludo@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 17 Feb 2021 21:26:42 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Feb 17 16:26:42 2021
Received: from localhost ([127.0.0.1]:45267 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lCULK-0007S1-74
	for submit <at> debbugs.gnu.org; Wed, 17 Feb 2021 16:26:42 -0500
Received: from lists.gnu.org ([209.51.188.17]:47184)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <leo@HIDDEN>) id 1lCULI-0007Ru-RI
 for submit <at> debbugs.gnu.org; Wed, 17 Feb 2021 16:26:41 -0500
Received: from eggs.gnu.org ([2001:470:142:3::10]:48252)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@HIDDEN>) id 1lCULI-0003AR-KO
 for bug-guix@HIDDEN; Wed, 17 Feb 2021 16:26:40 -0500
Received: from out1-smtp.messagingengine.com ([66.111.4.25]:37997)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <leo@HIDDEN>) id 1lCULG-0007su-Vj
 for bug-guix@HIDDEN; Wed, 17 Feb 2021 16:26:40 -0500
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47])
 by mailout.nyi.internal (Postfix) with ESMTP id 5872B5C010D;
 Wed, 17 Feb 2021 16:26:38 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
 by compute7.internal (MEProxy); Wed, 17 Feb 2021 16:26:38 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=famulari.name;
 h=date:from:to:subject:message-id:mime-version:content-type; s=
 mesmtp; bh=eG/LcWTyPhBmpdZ4z9X+bxgQdcke5H1iq9JsTWLmgRA=; b=pwiAC
 LXRLz0Ad8g4IUn2crEww4HcS/clxanGR8fosdDirAZ72JZ4ZC7rSTNGgMdahrWga
 +3CgTca/ljvuwwHh3wOOMXYcMy1hK5Vjkdgx/1CfL8DHuagekJ+XLnjivApTIgvu
 AA/CwzqJFGL6bOBz8QAaCPrUb9Azfr+FJU+8eU=
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
 messagingengine.com; h=content-type:date:from:message-id
 :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender
 :x-me-sender:x-sasl-enc; s=fm2; bh=eG/LcWTyPhBmpdZ4z9X+bxgQdcke5
 H1iq9JsTWLmgRA=; b=lkRyCXYSfxXDrw5UMi18qZWnI5+wV0CLvTw3i7L2zo6Hx
 vkf93t3/RQS43pE95p9X1CTRLujvEgCUJMI8TrJWM2HYU7ynK35qmop60Y7mDZmX
 yyZoNfEKa4rjwym2gdQCUODcZI6zzOLMDPaLDRfVnx5ppU70eeSCPN362IEHpWCY
 G+pYseFm7Fw8+AEc1+OxjqEeDwoqmzI0BgzCuwEUGu/Bdd0RWeAbhT6oLzR8kpOh
 lIqLzmN2+D9jEJ5ikSM463/WLzoHoHXeHVXZ0+6LI5fQ0i7ZsqrArjhifL2lGCpb
 JAgyAMRR6RqrdXjVHVsPjQtcEfZvE7i+1V1qga+ig==
X-ME-Sender: <xms:DYotYG8L7UOr9csmT-noBfnnf04zFV0cwpRxmK31YXZhCJUCo7UfKg>
 <xme:DYotYGoZ_RijeXbAfrQGib76m-pgDEq1tMPVb7oacUwYX5q61zhYxxYVn9D7dLcxD
 FI4_pcsMTsxXt3nGw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrjedvgdduvddvucetufdoteggodetrfdotf
 fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
 uceurghilhhouhhtmecufedttdenucenucfjughrpeffhffvuffkgggtugesthdtredttd
 dtvdenucfhrhhomhepnfgvohcuhfgrmhhulhgrrhhiuceolhgvohesfhgrmhhulhgrrhhi
 rdhnrghmvgeqnecuggftrfgrthhtvghrnhepueeiudeijeduffdvhfejvdegvdehgffgje
 dvveekfeefleefkeeuieejudevtedunecuffhomhgrihhnpehgnhhurdhorhhgnecukfhp
 pedutddtrdduuddrudeiledruddukeenucevlhhushhtvghrufhiiigvpedtnecurfgrrh
 grmhepmhgrihhlfhhrohhmpehlvghosehfrghmuhhlrghrihdrnhgrmhgv
X-ME-Proxy: <xmx:DYotYI4DdgPWLGRUkxUyigDLw_UQ33dLh7dKbasZSiMuuEQguTWGAA>
 <xmx:DYotYGMEBK0tKi8raK-82BOdUOdMV6bFCgZDTbjUnu8nzQCKqYvJPA>
 <xmx:DYotYKPZ6Tpu8eD_8jMzQ-lJK5_7Ij3jdcOMfoWEOXPsDlk8G_QXRA>
 <xmx:DootYFBhlePiXgF7cVjCh0yYWTkvBPSAWxIQTCcOjbknO78OMLTp6A>
Received: from localhost (pool-100-11-169-118.phlapa.fios.verizon.net
 [100.11.169.118])
 by mail.messagingengine.com (Postfix) with ESMTPA id DA819240057
 for <bug-guix@HIDDEN>; Wed, 17 Feb 2021 16:26:37 -0500 (EST)
Date: Wed, 17 Feb 2021 16:26:36 -0500
From: Leo Famulari <leo@HIDDEN>
To: bug-guix@HIDDEN
Subject: Removing OpenSSL 1.0
Message-ID: <YC2KDCevazOXaZxZ@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Received-SPF: pass client-ip=66.111.4.25; envelope-from=leo@HIDDEN;
 helo=out1-smtp.messagingengine.com
X-Spam_score_int: -27
X-Spam_score: -2.8
X-Spam_bar: --
X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,
 RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001,
 SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

OpenSSL 1.0 is no longer supported as free software. As research
continues, new bugs are discovered and there are no fixes available.

We should remove it soon. Since Qt 4 depends on it, we can remove them
at the same time [0].

Some packages will probably have to be removed, since they depend on
OpenSSL 1.0 and have not been updated to use more recent versions.

OpenSSL 1.0 is used in the Rust bootstrap, unfortunately, so we will
have to preserve some package of it, but it will be hidden.

Any thoughts?

[0] https://bugs.gnu.org/45704
Acknowledgement sent to Leo Famulari <leo@HIDDEN>:
New bug report received and forwarded. Copy sent to bug-guix@HIDDEN. Full text available.
Report forwarded to bug-guix@HIDDEN:
bug#46602; Package guix. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Thu, 25 Feb 2021 19:00:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.