Upgrade OpenSSL #5984
Comments
|
The issue with OpenSSL 3 is that ST relies on python 3.3, which only supports OpenSSL 1.0. To avoid packaging issues we ship OpenSSL libraries on all platforms. |
|
Is there any plan to upgrade Python also to a non-EOL version of 10 years? |
|
We also ship Python 3.8. Python 3.3 is for backwards compatibility with plugins and thus can't be upgraded without breaking functionality. Up until very recently we shipped both OpenSSL 1.0 and 1.1 but with a lot of effort we backported 1.1 to python 3.3 in build 4145. It's unlikely OpenSSL 3 will be backported to Python 3.3 any time soon, especially when there's little security to be gained from doing so. For reference package control uses the oscrypto library instead of the packaged OpenSSL to avoid security issues. Similarly updates are not done using OpenSSL. |
|
Isn't there a point where this strategy does not work out and you will have to abandon the old python and is there a roadmap? I would rather refrain from some plugins than keeping a maybe some-when security hazard? Also is there a possibility on package-control or somewhere to see if / what python-version it's using to at least avoid using plugins that use these old python-version? Is the plugin-host itself python 3.8+ compatible so I could use a newer version if I don't use plugins require the old version? |
|
All packages compatible with python 3.8 contain a Dropping python 3.3 will however render 99.8% of all packages/plugins useless. Nearly none has been migrated to python 3.8 and it is very unlikely to happen any time soon (at all). With some luck most open-source packages run without any code changes, but ST requires them to contain the said .python-version file to opt-in to py3.8 With most packages being no longer maintained there's little chance to get that file into existing repos. There's the idea of providing required "flag" via Package Control's channel.json upstream, but this requires PC4.0 to be released. While client is (IMHO) ready to go, we need to wait for required packagecontrol.io changes to be made upstream to get started. After that some volunteers need to visit each of the 5k packages, check whether they run on py38 and flag them in PC's channel. Will there be enough to get that job done? Beyound that some famous packages ship compiled py33 plugins only. Those can't be migrated by someone else, than original author. So either go the hard (Kodi) way and just drop 99.8% of packages or keep python 3.3 alive. Concerns are paranoid with an objective look at OpenSSL's usage in ST plugins. Nearly none makes use of network functionality at all. Package Control uses wininet.dll on Windows by default and urllib on Linux/Mac. The latter indeed relies on ST's OpenSSL. But even PC3.4's oscrypto library only supports OpenSSL 1.1, which has been the cause of trouble for Mac users recently. PC4.0 shipps latest available oscrypto which uses OpenSSL3 if available - but that's not the standard driver. EDIT: oscrypto downloader uses ST's OpenSSL library on Linux as it would cause issues otherwise as it seems. |
ST starts two separate processes, a plugin_host-3.3 and a plugin_host-3.8 without regards to whether plugins are present or not. |
That sounds like a case for assuming Python 3.8 by default at some point, perhaps? Is it fair to say the current strategy is not scaling? What will happen when 3.8 is “too old”? |
|
With most packages/plugins just being dropped but never seriously maintained, the answer with regards to scaling is probably "yes". Assuming backward compatibility would at least not work well for compiled modules or those relying on (compiled) libraries/dependencies. It would currently also break all plugins, which rely on libraries/dependencies, as Package Control 3.x can't deal with both plugin_hosts at the same time. Not an issue so far, but maybe a new plugin_host may introduce breaking API changes, which need little adjustments to some plugins. So at least a review might be needed to ensure everything keeps working. The one way or the other. Changing plugin hosts needs adjustments here and there and can't be handled automatically. |
|
Would it work to provide a dummy version of |
|
@deathaxe Why the downvote on that suggestion? As you point out:
So objectively there is no issue simply removing OpenSSL 1.1. While the prospect of "all plugins must be updated or abandoned" is quite hairy, one of "the few plugins making use of network functionality must be updated or abandoned" seems a lot less so and an actually sustainable way forward? |
|
Update on the scenario on NixOS: 23.05 has shipped and Sublime Text is now indirectly marked as an insecure package. To be clear: Sublime Text no longer has an installable version in a default nixpkgs configuration. |
|
OpenSSL is shipped for a reason. Some plugins use it (via Using latest OpenSSL is nothing python based plugins can (easily) fix on their end. Loading a 2nd openssl lib into python environement may even cause conflicts. On the other hand no risk is to be concerned by plugins not making use of it. But finally it's up to sublimehq to decide how to cope with this request. I am just a user. |
|
Thanks. That's helpful information. The OpenSSL migration guide says,
I wonder if it would be possible to modify the 3.3 plugin host to use OpenSSL 3.0. As far as I can tell, the hosts don't use the system-installed Python at all, and instead use a statically linked copy of |
|
I've just noticed that $ readelf -d plugin_host-3.3 | grep Shared
0x0000000000000001 (NEEDED) Shared library: [librt.so.1]
0x0000000000000001 (NEEDED) Shared library: [libdl.so.2]
0x0000000000000001 (NEEDED) Shared library: [libutil.so.1]
0x0000000000000001 (NEEDED) Shared library: [libm.so.6]
0x0000000000000001 (NEEDED) Shared library: [libpthread.so.0]
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
0x0000000000000001 (NEEDED) Shared library: [ld-linux-x86-64.so.2]
$ readelf -d plugin_host-3.8 | grep Shared
0x0000000000000001 (NEEDED) Shared library: [librt.so.1]
0x0000000000000001 (NEEDED) Shared library: [libdl.so.2]
0x0000000000000001 (NEEDED) Shared library: [libcrypto.so.1.1]
0x0000000000000001 (NEEDED) Shared library: [libssl.so.1.1]
0x0000000000000001 (NEEDED) Shared library: [libutil.so.1]
0x0000000000000001 (NEEDED) Shared library: [libm.so.6]
0x0000000000000001 (NEEDED) Shared library: [libpthread.so.0]
0x0000000000000001 (NEEDED) Shared library: [libc.so.6]
0x0000000000000001 (NEEDED) Shared library: [ld-linux-x86-64.so.2] |
OK, so maybe backporting OpenSSL 3.0 to the 3.3 host isn't easy, then. However, I'm not sure why 3.8 is still using 1.1. If the 3.3 host uses a statically linked 1.1 and the 3.8 hosts used a dynamic 3.0, things would look OK from the outside. No deprecated dynamic library package would be needed from the OS. Or the 3.8 host could use a static copy of the library too. |
This changed in build 4145. Previously we statically linked openssl 1.0. |
Ah! I believe you simply misunderstood the suggestion then. The outline given the data you provided is this:
I don't see how that is not a very sustainable path forward, completely bypassing the SSL porting race? |
How small is the intersection according to you? |
I do not presume to make such a determination. As I explicited in the very comment you are replying to, all I have to go by is the conversation we are currently having. In that conversation, those datapoints were provided and then the opposite conclusion was drawn - which led to my puzzlement. Specifically for "how small", I am going off what you can see a stated and then quoted a bit further up:
I am taking the creative liberty of translating "nearly none" to "a small intersection". I can make the edit if you prefer I use the original language. |
They did indeed. Would you assume that the decision on that specific package is to abandon it rather than upgrade? |
I would say the opposite :) If you check the repository (https://github.com/wbond/package_control/tree/four-point-oh) there is tons of work already in the |
|
Package Control is THE package manager of Sublime Text. No normal user would realistically use ST without it since it would be a pain to manage packages otherwise. Abandoning it is clearly not an option. I believe that there is a new version of it in the works that might be using the 3.8 host but it has been in the works for many years now so not holding breath on this one. |
Nice :) Sensible foresight and rapidly approaching this aspect of OpenSSL upgrading being a non-issue :) |
Not sure about that. Many "AI coding" packages that are popular these days have to make requests to an API. |
Will this fix the issue of the Preferences menu options being greyed out (can't edit settings) if plugin_host fails to load? I continue to use ST under NixOS by overriding the openssl 1.1.1 dependency, but that apparently removes more than just plugin support. |
|
Could there be a setting that, if enabled, tells users (thus also plugin developers) when they use a package that's not compatible with Sublime's preferred more current Python version, and what those plugins are? Without a way to notice that this issue even exists, people will not fix it in their plugins. (I also wrote a plugin in Sublime Text 2 times and only learned of the concept of |
Do not do that. Despite the confusing error message, OpenSSL 1.1 is still supported and updated in NixOS for now. So the only thing you will achieve is breaking your installation – many of the Sublime Text features are implemented inside
No. The |
|
Tenable is flagging openssl in sublime: https://www.tenable.com/plugins/nessus/171079 Path : /opt/sublime_text/libssl.so.1.1 Path : /opt/sublime_text/libcrypto.so.1.1 |
|
OpenSSL 1.1.1 was released on 11th September 2018, and so it will be considered EOL on 11th September 2023!!! It will no longer be receiving publicly available security fixes after that date. Sadly Sublime Merge does have the same issue. I will switch to VSCode until this is (hopefully) resolved... |
No it doesn't. We don't ship openssl with Sublime Merge, since there aren't any plugins. |
|
Well, to be fair, Sublime Merge 2090 ships with Git for Windows 2.39.1, which still uses openssl 1.1. Git for Windows 2.42.0 uses openssl3. |
|
Right, I was thinking of Linux where we don't ship git. |
|
Nobody wants to be using insecure software, but it sounds like the risk profile here is "if you use a plugin that depends on OpenSSL and a new vulnerability is discovered that won't be patched, that vulnerability could be exploited in that plugin." I'm not a security engineer, but that sounds like a relatively small exposure. It also sounds like you can patch the vulnerability down to 0 if you test the packages you use with One nice aspect of NixOS is that Sublime's dependency on an old OpenSSL doesn't leak into other applications. |
Unfortunately, we don't have the people to perform such in-depth analysis, and I think the past proved that this is hard to predict properly. Thus, we apply the principle of precaution first and foremost.
I am not sure how we can patch the vulnerability given that OpenSSL will not receive eyes anymore, so at some point, there will just be no report any more except for users with a subscription.
Certainly, but, OpenSSL 1.1.x is slated for removal for NixOS 24.05. |
Description of the bug
NixOS/nixpkgs#210452
OpenSSL 1.1 is flagged as insecure and will be removed for the next stable NixOS release as it's EOL 09/2023. I'm using sublime-text4 as primary editor (on a daily basis) and wanted to ensure that its on the radar to avoid issues ✌️
Steps to reproduce
Try to install sublime-text* on NixOS unstable or later on 23.05
Expected behavior
OpenSSL 3 or alternative used
Actual behavior
Sublime Text build number
4150
Operating system & version
NixOS unstable
(Linux) Desktop environment and/or window manager
Sway/Wayland
Additional information
No response
OpenGL context information
No response
The text was updated successfully, but these errors were encountered: