[systemd-devel] RFC: Moving fully to OpenSSL (aka. stopping support for gnutls/gcrypt)?

Lennart Poettering lennart at poettering.net
Wed Dec 9 09:50:57 UTC 2020 

Heya!

Currently, some parts of the systemd tree link against OpenSSL, others
link against gnutls and libgcrypt, and even others support either,
controlled by a compile time switch.

This is of course less than ideal, since it means we need to maintain
needlessly complex, redundant code to support this, it's not complete
(as not all combinations are supported), and footprint for general
purpose distros is effectively doubled.

I think we should go OpenSSL all the way, and replace/drop support for
gnutls and libgcrypt, unifying on a single crypto library. This was
previously problematic since on Debian linking LGPL code against
OpenSSL was considered legally "unclean". This has recently changed
though:

https://github.com/systemd/systemd/pull/14743#issuecomment-739001595

Hence, given that the legal issues around going OpenSSL exclusively
all the way are gone, I think it's time to do the full switch. Hence
I'd like to propose that we start transitioning with depending only on
OpenSSL sooner or later. This means:

1. Porting the currently remaining GnuTLS/gcrypt-only code over to openssl

2. Dropping redundant implementations for gnutls/gcrypt where we
   already have openssl support

3. Require for new code to be openssl-only.

Ultimately this should provide us with a smaller codebase, smaller OS
footprint and easier maintainance.

Before we make this decision and switch over I'd like to hear opinions
on this, though. Maybe I am missing something, and there are other
reasons why people want to keep gnutls/gcrypt support around?

Why unify on OpenSSL instead of doing it the other way and unify on
gnutls + gcrypt, btw? We don't really have any horse in that race. All
crypto libraries have well documented issues, like any code. It
appears to me though that OpenSSL has the more active and larger
community and wider industry support. It appears to me that dropping
gntuls/gcrypt frrom the basic OS package set is easier to reach then
dropping OpenSSL. In the interest of making the minimal set of OS
packages required to boot a system smaller I think OpenSSL is the
better choice.

The fabled future OpenSSL 3 release is supposed to come with a changed
license, which will attack the Debian license incompatibility from
another angle btw. It was supposed to be released many months ago
already, afaiu, but that unfortunately never happened. So far we were
counting on this to resolve the licensing situation around crypto
libraries. Due to the Debian change I figure we can speed up things
now, though.

Lennart

--
Lennart Poettering, Berlin

More information about the systemd-devel mailing list