<div dir="ltr"><div> I think it's an excellent idea.<br><br></div><div>Question: Currently systemd-importd still has an indirect dependency on libgcrypt through it depending on the gnupg binary for signatures.<br></div><div>Would it maybe be an idea to add support for other signature schemes to importd that can be directly implemented with openssl?<br><br></div><div>A good start would be to support PKCS#7 signatures. But we could also opt for something more simple akin to OpenBSD signify (A simple ed25519 signature over a hash).<br><br></div><div>I personally work around this by having built <a href="https://ruuda.github.io/tako/">https://ruuda.github.io/tako/</a> with a colleague which I use to download and verify nspawn container images. But it would be cool if importd could natively support signature checking with other backends than GnuPG.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Dec 9, 2020 at 10:51 AM Lennart Poettering <<a href="mailto:lennart@poettering.net">lennart@poettering.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Heya!<br>
<br>
Currently, some parts of the systemd tree link against OpenSSL, others<br>
link against gnutls and libgcrypt, and even others support either,<br>
controlled by a compile time switch.<br>
<br>
This is of course less than ideal, since it means we need to maintain<br>
needlessly complex, redundant code to support this, it's not complete<br>
(as not all combinations are supported), and footprint for general<br>
purpose distros is effectively doubled.<br>
<br>
I think we should go OpenSSL all the way, and replace/drop support for<br>
gnutls and libgcrypt, unifying on a single crypto library. This was<br>
previously problematic since on Debian linking LGPL code against<br>
OpenSSL was considered legally "unclean". This has recently changed<br>
though:<br>
<br>
<a href="https://github.com/systemd/systemd/pull/14743#issuecomment-739001595" rel="noreferrer" target="_blank">https://github.com/systemd/systemd/pull/14743#issuecomment-739001595</a><br>
<br>
Hence, given that the legal issues around going OpenSSL exclusively<br>
all the way are gone, I think it's time to do the full switch. Hence<br>
I'd like to propose that we start transitioning with depending only on<br>
OpenSSL sooner or later. This means:<br>
<br>
1. Porting the currently remaining GnuTLS/gcrypt-only code over to openssl<br>
<br>
2. Dropping redundant implementations for gnutls/gcrypt where we<br>
already have openssl support<br>
<br>
3. Require for new code to be openssl-only.<br>
<br>
Ultimately this should provide us with a smaller codebase, smaller OS<br>
footprint and easier maintainance.<br>
<br>
Before we make this decision and switch over I'd like to hear opinions<br>
on this, though. Maybe I am missing something, and there are other<br>
reasons why people want to keep gnutls/gcrypt support around?<br>
<br>
Why unify on OpenSSL instead of doing it the other way and unify on<br>
gnutls + gcrypt, btw? We don't really have any horse in that race. All<br>
crypto libraries have well documented issues, like any code. It<br>
appears to me though that OpenSSL has the more active and larger<br>
community and wider industry support. It appears to me that dropping<br>
gntuls/gcrypt frrom the basic OS package set is easier to reach then<br>
dropping OpenSSL. In the interest of making the minimal set of OS<br>
packages required to boot a system smaller I think OpenSSL is the<br>
better choice.<br>
<br>
The fabled future OpenSSL 3 release is supposed to come with a changed<br>
license, which will attack the Debian license incompatibility from<br>
another angle btw. It was supposed to be released many months ago<br>
already, afaiu, but that unfortunately never happened. So far we were<br>
counting on this to resolve the licensing situation around crypto<br>
libraries. Due to the Debian change I figure we can speed up things<br>
now, though.<br>
<br>
Lennart<br>
<br>
--<br>
Lennart Poettering, Berlin<br>
_______________________________________________<br>
systemd-devel mailing list<br>
<a href="mailto:systemd-devel@lists.freedesktop.org" target="_blank">systemd-devel@lists.freedesktop.org</a><br>
<a href="https://lists.freedesktop.org/mailman/listinfo/systemd-devel" rel="noreferrer" target="_blank">https://lists.freedesktop.org/mailman/listinfo/systemd-devel</a><br>
</blockquote></div><br clear="all"><br>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><span><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;vertical-align:baseline;white-space:pre-wrap">Arian van Putten</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;font-weight:700;vertical-align:baseline;white-space:pre-wrap"> </span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">l Software Engineer</span><span style="font-size:12pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"></span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:9.5pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">@arian_wire o</span><span style="font-size:9.5pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">n Wire</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><a href="https://wire.com/en/download/" target="_blank"><span style="font-size:9.5pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Wire</span></a><span style="font-size:9.5pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> - Secure team messaging.</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:9.5pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> </span><span style="font-size:9.5pt;font-family:Arial;color:rgb(204,204,204);background-color:transparent;font-weight:700;vertical-align:baseline;white-space:pre-wrap">Zeta Project Germany GmbH </span><span style="font-size:9.5pt;font-family:Arial;color:rgb(204,204,204);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">l </span><a href="https://maps.google.com/?q=Rosenthaler+Stra%C3%9Fe+40,%C2%A0+10178+Berlin,%C2%A0+Germany&entry=gmail&source=g" target="_blank"><span style="font-size:9.5pt;font-family:Arial;background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Rosenthaler Straße 40, 10178 Berlin, Germany</span></a><span style="font-size:9.5pt;font-family:Arial;color:rgb(0,0,0);background-color:transparent;vertical-align:baseline;white-space:pre-wrap"> </span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:9.5pt;font-family:Arial;color:rgb(204,204,204);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">Geschäftsführer/Managing Director: Morten J. Broegger</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:9.5pt;font-family:Arial;color:rgb(204,204,204);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">HRB 149847 beim Handelsregister Charlottenburg, Berlin</span></p><p dir="ltr" style="line-height:1.38;margin-top:12pt;margin-bottom:12pt"><span style="font-size:9.5pt;font-family:Arial;color:rgb(204,204,204);background-color:transparent;vertical-align:baseline;white-space:pre-wrap">VAT-ID DE288748675</span></p></span></div></div>