From nobody Tue May 02 21:55:57 2023 X-Original-To: freebsd-arch@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q9yQD1KYSz48N4t for ; Wed, 3 May 2023 00:25:08 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Received: from omta001.cacentral1.a.cloudfilter.net (omta001.cacentral1.a.cloudfilter.net [3.97.99.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "Client", Issuer "CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Q9yQD07qnz3kXg; Wed, 3 May 2023 00:25:08 +0000 (UTC) (envelope-from cy.schubert@cschubert.com) Authentication-Results: mx1.freebsd.org; none Received: from shw-obgw-4002a.ext.cloudfilter.net ([10.228.9.250]) by cmsmtp with ESMTP id ts6KpnrgWLAoIu0Itpulyw; Wed, 03 May 2023 00:25:07 +0000 Received: from spqr.komquats.com ([70.66.148.124]) by cmsmtp with ESMTPA id u0IrphmtMyAOeu0IspLQxD; Wed, 03 May 2023 00:25:07 +0000 X-Authority-Analysis: v=2.4 cv=e5oV9Il/ c=1 sm=1 tr=0 ts=6451a9e3 a=Cwc3rblV8FOMdVN/wOAqyQ==:117 a=Cwc3rblV8FOMdVN/wOAqyQ==:17 a=SU-xOcMpIYxLMc8R:21 a=8nJEP1OIZ-IA:10 a=P0xRbXHiH_UA:10 a=6I5d2MoRAAAA:8 a=pGLkceISAAAA:8 a=YxBL1-UpAAAA:8 a=EkcXrb_YAAAA:8 a=DWmYvZdRxjqy5wbzK3cA:9 a=wPNLvfGTeEIA:10 a=hWqEdti56PxJBvPEWkoy:22 a=IjZwj45LgO3ly-622nXo:22 a=Ia-lj3WSrqcvXOmTRaiG:22 a=LK5xJRSDVpKd5WXXoEvA:22 Received: from slippy.cwsent.com (slippy [10.1.1.91]) by spqr.komquats.com (Postfix) with ESMTP id 3428D179; Tue, 2 May 2023 17:25:05 -0700 (PDT) Received: by slippy.cwsent.com (Postfix, from userid 1000) id AE65339A; Tue, 2 May 2023 14:55:57 -0700 (PDT) X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.8+dev Reply-to: Cy Schubert From: Cy Schubert X-os: FreeBSD X-Sender: cy@cwsent.com X-URL: http://www.cschubert.com/ To: John Baldwin cc: Antoine Brodin , Enji Cooper , FreeBSD-arch list , bofh@freebsd.org, brnrd@freebsd.org, Cy Schubert , Ed Maste , vishwin@freebsd.org Subject: Re: OpenSSL 3.0 for 14.0-RELEASE: issues with 1.x/3.x symbol clashing, ports linking against base OpenSSL, ports that don't compile/link against OpenSSL 3, etc In-reply-to: <12f8559c-d696-5344-98d5-1751d04088af@FreeBSD.org> References: <12f8559c-d696-5344-98d5-1751d04088af@FreeBSD.org> Comments: In-reply-to John Baldwin message dated "Tue, 02 May 2023 14:24:05 -0700." List-Id: Discussion related to FreeBSD architecture List-Archive: https://lists.freebsd.org/archives/freebsd-arch List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arch@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Date: Tue, 02 May 2023 14:55:57 -0700 Message-Id: <20230502215557.AE65339A@slippy.cwsent.com> X-CMAE-Envelope: MS4xfHwA9QxAJAwi40MDlQMe5brG2wV2lZgYzGKYPOx+X/bkbwY3bzzZyV4swGlvRs66OgoqAuTOyO4rnz7i1fqmanUlHfATL2FTOC4qZI4kkAQuYe/xCRoP Ilsa8sIL2cK9S8h7auzyyL1n0K9vd1c1XlasMJxHJtocCQJtOmLuezaVUkI2B2zN5Vtfk57q+xtxywEp0ufP70tQGAkCFnGkqKf7CBxBf2zoKuTzoqMk3qN+ 6afDkwqpqmO7cfa23jdGfFJ4NaLlLtgMDsxAXrMAmXjO9KD1YfNSEqhJYIWLAbkJCIZAai/sVUaeucLOa62XGjf2Fzft2jqSnWXOb9jw68KGWsfqrlc5fRTP DAgJDSRPq5O96etxDm9FPRFjzZW7ZQHqOhM5sqGwb4TwzeSzx/H+HWLNed40diZugt8fPTjWp3dMkL44B2aV8COVQRpvSA== X-Rspamd-Queue-Id: 4Q9yQD07qnz3kXg X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:16509, ipnet:3.96.0.0/15, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N In message <12f8559c-d696-5344-98d5-1751d04088af@FreeBSD.org>, John Baldwin wri tes: > On 5/2/23 2:59 AM, Antoine Brodin wrote: > > On Tue, May 2, 2023 at 1:55 AM Enji Cooper wrote: > >> > >> Hello, > >> One of the must-haves for 14.0-RELEASE is the introduction of OpenSSL 3.0 > into the base system. This is a must because, in short, OpenSSL 1.1 is no lon > ger supported as of 09/26/2023 [1]. > >> > >> I am proposing OpenSSL be made private along with all dependent libraries, > for the following reasons: > >> 1. More than a handful of core ports, e.g., security/py-cryptography [2] [ > 3], still do not support OpenSSL 3.0. > >> i. If other dependent ports (like lang/python38, etc) move to OpenSSL 3, t > he distributed modules would break on load due to clashing symbols if the rig > ht mix of modules were dlopen’ed in a specific order (importing ssl, then i > mporting hazmat’s crypto would fail). > >> ii. Such ports should be deprecated/marked broken as I’ve recommended on > the 3.0 exp-run PR [4]. > >> 2. OpenSSL 1.1 and 3.0 have clashing symbols, which makes linking in both > libraries at runtime impossible without resorting to a number of linker trick > s hiding the namespaces using symbol prefixing of public symbols, etc. > >> > >> The libraries which would need to be made private are as follows: > >> - kerberos > >> - libarchive > >> - libbsnmp > >> - libfetch [5] > >> - libgeli > >> - libldns > >> - libmp > >> - libradius > >> - libunbound > > > > In my opinion this is a huge amount of work a few weeks before the > > release. Focusing on updating OpenSSL and those core ports may be > > simpler. > > This is my view. I think making OpenSSL private is a very huge task, and > fraught with peril in ways that haven't been thought about yet (e.g. PAM) > and that we can't hold up OpenSSL 3 while we wait for this. Instead, I think > we need to be moving forward with OpenSSL 3 in base as-is. We will have to > fix ports to work with OpenSSL 3 regardless (though this does make that pain > in ports happen sooner). Moving libraries private can happen orthogonally > with getting base to work with OpensSL 3. Exactly. They're idependent problems. > > -- > John Baldwin -- Cheers, Cy Schubert FreeBSD UNIX: Web: https://FreeBSD.org NTP: Web: https://nwtime.org e^(i*pi)+1=0