[RFC] libssl abstraction, default to libressl instead of openssl#10468
[RFC] libssl abstraction, default to libressl instead of openssl#10468fpletz wants to merge 2 commits intoNixOS:masterfrom
Conversation
011af85 to
2cb428f
Compare
|
Why is |
|
@peti Personally I would prefer LibreSSL because their aim is to clean up the code in OpenSSL and make it at least somewhat maintainable, which I, having unfortunately spent some time looking at the original code, can only welcome. |
|
libressl got a security advisory a few days ago (doesn't affect openssl) http://seclists.org/oss-sec/2015/q4/87 |
|
Generally openssl has had much more CVEs than openssl since libressl forking off and libressl aim to clean up a lot of the old cruft from which is totally worthless now. See https://wiki.freebsd.org/LibreSSL for a list of vulnerabilities. |
2cb428f to
b2f3d4b
Compare
b2f3d4b to
b99cb44
Compare
|
How do other distributions handle this? Does anyone else prefer |
|
I think no, apart from OpenBSD but they don't qualify as a Linux distribution ^_^. |
|
I can't even find the package in major distros, but I suppose it would be nontrivial for them to have a different version of |
|
I also remember several Arch Linux packages in AUR and guides for replacing OpenSSL with LibreSSL on it; the biggest problem is, as @vcunat said, a big difficulty in having two |
|
I personally would prefer using libressl 2.2.4 as default for now in NixOS as that is the latest stable release, 2.3 being the current snapshot releases. |
|
Might I suggest to first only introduce In regards to pkgs.libss. Is aliasing a good-enough solution or do we need a mechanism to fallback to openssl for well-known broken libraries ? |
|
👍 |
Also see Gentoo's overlay.
This seems impossible; Here's how I would allow libressl:
[1] Generic terms are generic, not the first user owns them -- Kay Sievers |
We can always solve the problem with another layer of indirection :p Maybe pkgs.libssl would become a function that takes a white and a black list and returns the right derivation. Then all SSL libraries are removed from the top-level and then the only way to access them is trough that function. That being said, I don't think that most people will want to switch libraries. After all you need the recompile half of the programs in the system and don't benefit from the hydra builds anymore. I like your idea of taking |
Me too. The switch shouldn't involve touching hundreds of expressions. That tends to create merge interactions, e.g. with the closure-size branch. And there's not just libssl but libcrypto in there, too. The line |
|
Indeed. I don't see a reason for this change, Also for the discussion and a friendly reminder, that libressl and all other alternatives have seen less vulnerabilities because they are much less used than openssl. |
|
Okay, thanks for all the feedback. We will move forward by keeping the |
This is a RFC to add a generic libssl attribute to depend on an openssl compatible libssl implementation. Also, this changes the default libssl implementation to libressl.
Some software doesn't work yet with libressl, so there are some hardcoded dependencies on openssl where I stumbled on problems, but not all packages were tested. My laptop and some service VMs are working flawlessly. This is a work in progress.
Currently, libssl also includes libcrypto and the openssl utility (both included in libressl) but this could also be split out if needed.
I'd like some feedback if this change is welcome or if you prefer to add this in another way.
Side note: The libressl folks are working on a new TLS API called libtls, thus the choice to name the old API libssl (which is also the actual name of the library in question), which is already available in libressl today: http://www.openbsd.org/papers/libtls-fsec-2015/