[systemd-devel] Antw: [EXT] RFC: Moving fully to OpenSSL (aka. stopping support for gnutls/gcrypt)?

Wed Dec 9 09:55:50 UTC 2020

>>> Lennart Poettering <lennart at poettering.net> schrieb am 09.12.2020 um 10:50
in
Nachricht <20201209095057.GA30977 at gardel-login>:
> Heya!
> 
> Currently, some parts of the systemd tree link against OpenSSL, others
> link against gnutls and libgcrypt, and even others support either,
> controlled by a compile time switch.
> 
> This is of course less than ideal, since it means we need to maintain
> needlessly complex, redundant code to support this, it's not complete
> (as not all combinations are supported), and footprint for general
> purpose distros is effectively doubled.
> 
> I think we should go OpenSSL all the way, and replace/drop support for
> gnutls and libgcrypt, unifying on a single crypto library. This was
> previously problematic since on Debian linking LGPL code against
> OpenSSL was considered legally "unclean". This has recently changed
> though:

What about this:
Have a mechanism to select either gnutls or openssl for everything.
Then see how many people will use gnutls and how many will use openssl.
Then decide what to do.

> 
> https://github.com/systemd/systemd/pull/14743#issuecomment‑739001595 
> 
> Hence, given that the legal issues around going OpenSSL exclusively
> all the way are gone, I think it's time to do the full switch. Hence
> I'd like to propose that we start transitioning with depending only on
> OpenSSL sooner or later. This means:
> 
> 1. Porting the currently remaining GnuTLS/gcrypt‑only code over to openssl
> 
> 2. Dropping redundant implementations for gnutls/gcrypt where we
>    already have openssl support
> 
> 3. Require for new code to be openssl‑only.
> 
> Ultimately this should provide us with a smaller codebase, smaller OS
> footprint and easier maintainance.
> 
> Before we make this decision and switch over I'd like to hear opinions
> on this, though. Maybe I am missing something, and there are other
> reasons why people want to keep gnutls/gcrypt support around?
> 
> Why unify on OpenSSL instead of doing it the other way and unify on
> gnutls + gcrypt, btw? We don't really have any horse in that race. All
> crypto libraries have well documented issues, like any code. It
> appears to me though that OpenSSL has the more active and larger
> community and wider industry support. It appears to me that dropping
> gntuls/gcrypt frrom the basic OS package set is easier to reach then
> dropping OpenSSL. In the interest of making the minimal set of OS
> packages required to boot a system smaller I think OpenSSL is the
> better choice.
> 
> The fabled future OpenSSL 3 release is supposed to come with a changed
> license, which will attack the Debian license incompatibility from
> another angle btw. It was supposed to be released many months ago
> already, afaiu, but that unfortunately never happened. So far we were
> counting on this to resolve the licensing situation around crypto
> libraries. Due to the Debian change I figure we can speed up things
> now, though.
> 
> Lennart
> 
> ‑‑
> Lennart Poettering, Berlin
> _______________________________________________
> systemd‑devel mailing list
> systemd‑devel at lists.freedesktop.org 
> https://lists.freedesktop.org/mailman/listinfo/systemd‑devel 