OpenSSL with Elliptic Curve

Hans de Goede j.w.r.degoede at gmail.com
Sun May 12 11:21:10 CEST 2013


Hi,

On 05/12/2013 08:46 AM, Jeff Mendoza wrote:
> Hi,
>
> I have worked a bit on:
>
>    Request: OpenSSL with Elliptic Curve, IDEA, MDC-2, RC5 crypto algorithms
>    Summary: The OpenSSL toolkit provides support for secure communications between machines.
>    URL: http://www.openssl.org/
>    Why not in Fedora: Because of the problem with software patents: https://bugzilla.redhat.com/show_bug.cgi?id=319901
>    Notes: OpenSSL is included in Fedora but with Elliptic Curve, IDEA, MDC-2, RC5 crypto algorithms disabled.
>
> from the http://rpmfusion.org/Wishlist.
>
> I have a building and working rpm, but I don't know what the name/version should be. Is there a standard for packages that replace one in Fedora? I thought of calling it openssl-ec, and having it conflict with openssl, but you can't use yum to replace it without removing openssl and all it's dependent packages. Using 'rpm -e --nodeps' and then installing the replacement works fine.

Hmm, I didn't know we had this on our wish list, I must say that given the security implications,
I'm not really enthusiastic about having a replacement for openssl in rpmfusion.

We do sometimes use conflicts for -freeworld versions of applications which are built with extra
features.

But for libraries we should never use Conflicts, as they may change soname and then things will break
hard. The usual approach is instead to install the rpmfusion version of the lib into a subdir
of %{_libdir} and then drop in a .conf file into /etc/ld.so.conf.d/ adding that dir to the search path
(such a dir will then be searched before %{_libdir}.

Given the special nature of openssl and its tendency to change soname every other release, the only
acceptable solution to me would be to:
1) Not Conflict
2) Put the openssl so file in a subdir of %{_libdir}
3) Provide an example file for /etc/ld.so.conf.d/ as %doc
4) Add a README.rpmfusion explaining that the example file needs to be copied by the admin to
/etc/ld.so.conf.d/  and containing a big fat warning that rpmfusion cannot guarantee timely
security updates to its openssl package, and that the admin may need to disable it, falling back
to the rpmfusion version, when a security update to openssl is needed.

Note that this means that a simple "yum install openssl-freeworld" will do nothing but eat some
disk-space. This is by design, so that people doing "yum install openssl*" or
"yum install *-freeworld" don't accidentally start depending on our openssl. The move to rpmfusion
ssl REALLY needs to be a conscious decision, not a side effect of a badly constructed yum command.

Regards,

Hans


More information about the rpmfusion-developers mailing list