Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

dev-libs/openssl[bindist] update per EC patents expiring #18894

Closed
wants to merge 4 commits into from

Conversation

mgorny
Copy link
Member

@mgorny mgorny commented Jan 1, 2021

No description provided.

@gentoo-bot
Copy link

Pull Request assignment

Submitter: @mgorny
Areas affected: ebuilds
Packages affected: dev-libs/openssl, net-libs/ldns, net-misc/openssh

dev-libs/openssl: @gentoo/base-system
net-libs/ldns: @mschiff
net-misc/openssh: @gentoo/base-system

Linked bugs

Bugs linked: 762850


In order to force reassignment and/or bug reference scan, please append [please reassign] to the pull request title.

Docs: Code of ConductCopyright policy (expl.) ● DevmanualGitHub PRsProxy-maint guide

@gentoo-bot gentoo-bot added assigned PR successfully assigned to the package maintainer(s). bug linked Bug/Closes found in footer, and cross-linked with the PR. labels Jan 1, 2021
@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2021-01-01 11:19 UTC
Newest commit scanned: c16db49
Status: ✅ good

There are existing issues already. Please look into the report to make sure none of them affect the packages in question:
https://qa-reports.gentoo.org/output/gentoo-ci/084c1de1e8/output.html

@Whissi
Copy link
Contributor

Whissi commented Jan 1, 2021

Thank you for your PR but @gentoo/base-system will handle OpenSSL on our own.

For the records, SM2 got disabled in last bump (2915b99) because the hobble patch is breaking SM2. However, Fedora (hobble patch upstream) don't care about SM2 because they have it disabled for political reasons (China!). Gentoo had to decide to fork and fix hobble patch or just disable SM2 when applying hobble patch allowing us to keep using upstream patch without any changes and we chose the latter to make maintenance easier.

Copy link
Contributor

@floppym floppym left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes look good to me.

@mattst88
Copy link
Contributor

mattst88 commented Jan 1, 2021

Thank you for your PR but @gentoo/base-system will handle OpenSSL on our own.

This is really territorial. You should stop that.

@floppym
Copy link
Contributor

floppym commented Jan 1, 2021

After reading Whissi's notes more carefully, I guess he is saying we don't need to keep "sm2" behind bindist when we drop the EC-related logic.

@Whissi
Copy link
Contributor

Whissi commented Jan 1, 2021

This wasn't meant territorial. But this PR is also the perfect example why people not maintaining a package shouldn't come up with a PR making a change they don't understand. It's a waste of time doing things twice. So I thanked the author and told him the project (probably me because I did most of the 1.1.x work in the past) will take care of this.

@floppym
Copy link
Contributor

floppym commented Jan 1, 2021

But this PR is also the perfect example why people not maintaining a package shouldn't come up with a PR making a change they don't understand.

This seems more like the perfect example of why you should document things like this.

@mattst88
Copy link
Contributor

mattst88 commented Jan 9, 2021

So a week later, since you've asked others to stay off your lawn, can we expect you to mow it?

@Whissi
Copy link
Contributor

Whissi commented Jan 9, 2021

Thank you for your friendly reminder! I am sure you are following the bug behind this PR and have noticed no progress. So based on my little research we are still not ready to proceed here:

  • USE=bindist was added around commit 214b83b4e311c017258d450aae81c04652d8bce1.
  • Original commit said USE=bindist was added because of patents and mentioned 2015 as latest expiration date; This date was changed later to '??, ??, 2020' and it is not clear why it changed, if patents are really expired or if we need to adjust date again
  • It's still not 100% clear what is covered by USE=bindist at all because additional ciphers/algorithms were added/removed to USE=bindist restriction over time without proper documentation
  • So if we want to remove the restriction, only the foundation can give approval for this change as it was added because the foundation had legal liability concerns.

@floppym
Copy link
Contributor

floppym commented Jan 9, 2021

So if we want to remove the restriction, only the foundation can give approval for this change as it was added because the foundation had legal liability concerns.

I would really like to see evidence of this claim. By the "foundation", I assume you mean its trustees. Where/when did they express these concerns?

@Whissi
Copy link
Contributor

Whissi commented Jan 10, 2021

From commit bdd5c9e:

As resolved in the Foundation Trustees meeting 2017/10/22 [...]

Anyway, thank for your suggestion. I am now re-assigning the bug to get their approval to make progress.

@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2021-09-12 09:44 UTC
Newest commit scanned: 44d2fe7
Status: ✅ good

There are existing issues already. Please look into the report to make sure none of them affect the packages in question:
https://qa-reports.gentoo.org/output/gentoo-ci/f9f17508ea/output.html

@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2021-09-12 11:24 UTC
Newest commit scanned: 008bd2b
Status: ✅ good

There are existing issues already. Please look into the report to make sure none of them affect the packages in question:
https://qa-reports.gentoo.org/output/gentoo-ci/71fe6bdd15/output.html

@mgorny mgorny force-pushed the openssl-bindist branch 2 times, most recently from 6021f5b to 0f41323 Compare September 12, 2021 16:20
Now that all EC-related patents have expired, we can reenable them
unconditionally.  The revdeps seem to already depend on 'bindist(-)',
so we can remove the bindist flag altogether.

Closes: https://bugs.gentoo.org/762850
Signed-off-by: Michał Górny <mgorny@gentoo.org>
Closes: https://bugs.gentoo.org/812653
Signed-off-by: Michał Górny <mgorny@gentoo.org>
Signed-off-by: Michał Górny <mgorny@gentoo.org>
Signed-off-by: Michał Górny <mgorny@gentoo.org>
@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2021-09-12 16:29 UTC
Newest commit scanned: 0f41323
Status: ✅ good

There are existing issues already. Please look into the report to make sure none of them affect the packages in question:
https://qa-reports.gentoo.org/output/gentoo-ci/31a2bf5381/output.html

@gentoo-repo-qa-bot
Copy link
Collaborator

Pull request CI report

Report generated at: 2021-09-12 16:39 UTC
Newest commit scanned: 254e616
Status: ✅ good

There are existing issues already. Please look into the report to make sure none of them affect the packages in question:
https://qa-reports.gentoo.org/output/gentoo-ci/3c00227656/output.html

Copy link
Member

@thesamesam thesamesam left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Debian don't seem to be disabling things
  • Fedora still are with their patch
  • I've not seen any specific references to which patents we're supposedly protected from with USE=bindist, or whether it is truly exhaustive.
  • (While not understanding doesn't mean it doesn't apply, I don't see how binary redistribution is different to the source code anyway.)

Unless the Gentoo Foundation gets specific legal advice, I really don't see the need to apply this to one package. Especially now that we ended up dropping it (and updating all revdeps...) for OpenSSL 3.x anyway, even though Fedora have a patch available now.

@thesamesam
Copy link
Member

Note that an ML discussion began here and Robin commented on the bindist situation here.

@thesamesam
Copy link
Member

@thesamesam thesamesam closed this Dec 3, 2021
@thesamesam
Copy link
Member

Feel free to reopen for the RC5 bit.

gentoo-bot pushed a commit that referenced this pull request Dec 3, 2021
Bug: https://bugs.gentoo.org/762850
Signed-off-by: Michał Górny <mgorny@gentoo.org>
Closes: #18894
Signed-off-by: Sam James <sam@gentoo.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
assigned PR successfully assigned to the package maintainer(s). bug linked Bug/Closes found in footer, and cross-linked with the PR.
Projects
None yet
8 participants