Hi, I have worked a bit on: Request: OpenSSL with Elliptic Curve, IDEA, MDC-2, RC5 crypto algorithms Summary: The OpenSSL toolkit provides support for secure communications between machines. URL: http://www.openssl.org/ Why not in Fedora: Because of the problem with software patents: https://bugzilla.redhat.com/show_bug.cgi?id=319901 Notes: OpenSSL is included in Fedora but with Elliptic Curve, IDEA, MDC-2, RC5 crypto algorithms disabled. from the http://rpmfusion.org/Wishlist. I have a building and working rpm, but I don't know what the name/version should be. Is there a standard for packages that replace one in Fedora? I thought of calling it openssl-ec, and having it conflict with openssl, but you can't use yum to replace it without removing openssl and all it's dependent packages. Using 'rpm -e --nodeps' and then installing the replacement works fine.

Date: Sun, 12 May 2013 11:21:10 +0200 From: j.w.r.degoede(a)gmail.com To: rpmfusion-developers(a)lists.rpmfusion.org Subject: Re: OpenSSL with Elliptic Curve CC: jeffmendoza(a)live.com Hi, On 05/12/2013 08:46 AM, Jeff Mendoza wrote: > Hi, > > I have worked a bit on: > > Request: OpenSSL with Elliptic Curve, IDEA, MDC-2, RC5 crypto algorithms > Summary: The OpenSSL toolkit provides support for secure communications between machines. > URL: http://www.openssl.org/ > Why not in Fedora: Because of the problem with software patents: https://bugzilla.redhat.com/show_bug.cgi?id=319901 > Notes: OpenSSL is included in Fedora but with Elliptic Curve, IDEA, MDC-2, RC5 crypto algorithms disabled. > > from the http://rpmfusion.org/Wishlist. > > I have a building and working rpm, but I don't know what the name/version should be. Is there a standard for packages that replace one in Fedora? I thought of calling it openssl-ec, and having it conflict with openssl, but you can't use yum to replace it without removing openssl and all it's dependent packages. Using 'rpm -e --nodeps' and then installing the replacement works fine. Hmm, I didn't know we had this on our wish list, I must say that given the security implications, I'm not really enthusiastic about having a replacement for openssl in rpmfusion. We do sometimes use conflicts for -freeworld versions of applications which are built with extra features. But for libraries we should never use Conflicts, as they may change soname and then things will break hard. The usual approach is instead to install the rpmfusion version of the lib into a subdir of %{_libdir} and then drop in a .conf file into /etc/ld.so.conf.d/ adding that dir to the search path (such a dir will then be searched before %{_libdir}. Given the special nature of openssl and its tendency to change soname every other release, the only acceptable solution to me would be to: 1) Not Conflict 2) Put the openssl so file in a subdir of %{_libdir} 3) Provide an example file for /etc/ld.so.conf.d/ as %doc 4) Add a README.rpmfusion explaining that the example file needs to be copied by the admin to /etc/ld.so.conf.d/ and containing a big fat warning that rpmfusion cannot guarantee timely security updates to its openssl package, and that the admin may need to disable it, falling back to the rpmfusion version, when a security update to openssl is needed. Note that this means that a simple "yum install openssl-freeworld" will do nothing but eat some disk-space. This is by design, so that people doing "yum install openssl*" or "yum install *-freeworld" don't accidentally start depending on our openssl. The move to rpmfusion ssl REALLY needs to be a conscious decision, not a side effect of a badly constructed yum command. Regards, Hans

Subject: Re: OpenSSL with Elliptic Curve From: jdieter(a)gmail.com To: rpmfusion-developers(a)lists.rpmfusion.org Date: Fri, 14 Jun 2013 10:28:20 +0300 Sorry, just wanting some clarification. Can the regular openssl binary use the freeworld functions of openssl-freeworld-libs? If so, wouldn't it make more sense to just not bother building openssl-freeworld and only provide openssl-freeworld-libs? Jonathan

From what I can tell, yes. That makes sense to not provide it. Is it possible for the spec to build it, but not be included in the repo? I was trying to keep the modifications from the Fedora openssl.spec minimal.

Date: Fri, 14 Jun 2013 07:56:13 -0500 From: rdieter(a)fedoraproject.org To: rpmfusion-developers(a)lists.rpmfusion.org Subject: Re: OpenSSL with Elliptic Curve On 06/14/2013 02:28 AM, Jonathan Dieter wrote: > On Thu, 2013-06-13 at 22:37 -0700, Jeff Mendoza wrote: >> I elected to have openssl-freeworld and openssl-freeworld-devel >> conflict with the regular packages. openssl-freeworld has the binary >> openssl, this is not really needed, as the change is in the lib, and >> the regular openssl binary will work with openssl-freeworld-libs. >> openssl-freeworld-devel will conflict by installing the header files >> in the usual place. I had to modify the pkg-config files in the devel >> package to point to the new lib location. > > Sorry, just wanting some clarification. Can the regular openssl binary > use the freeworld functions of openssl-freeworld-libs? If so, wouldn't > it make more sense to just not bother building openssl-freeworld and > only provide openssl-freeworld-libs? Same question for openssl-freeworld-devel, could we get away with not creating that one too? -- Rex