summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRepository mirror & CI <repomirrorci@gentoo.org>2021-10-22 19:06:29 +0000
committerRepository mirror & CI <repomirrorci@gentoo.org>2021-10-22 19:06:29 +0000
commit5836a105dec7c709f3206b9d013b664ac237bc54 (patch)
tree195dcb313155d41659dec2874168c15783c345a5 /metadata/news
parentMerge updates from master (diff)
parent2021-10-17-openssl-bindist-removal: openssl USE=bindist removal (diff)
downloadgentoo-5836a105dec7c709f3206b9d013b664ac237bc54.tar.gz
gentoo-5836a105dec7c709f3206b9d013b664ac237bc54.tar.bz2
gentoo-5836a105dec7c709f3206b9d013b664ac237bc54.zip
Merge commit 'e91fb8d1fae984eead80975412f3a1029ac099ab'
Diffstat (limited to 'metadata/news')
-rw-r--r--metadata/news/2021-10-17-openssl-bindist-removal/2021-10-17-openssl-bindist-removal.en.txt38
1 files changed, 38 insertions, 0 deletions
diff --git a/metadata/news/2021-10-17-openssl-bindist-removal/2021-10-17-openssl-bindist-removal.en.txt b/metadata/news/2021-10-17-openssl-bindist-removal/2021-10-17-openssl-bindist-removal.en.txt
new file mode 100644
index 000000000000..ca6c6e651348
--- /dev/null
+++ b/metadata/news/2021-10-17-openssl-bindist-removal/2021-10-17-openssl-bindist-removal.en.txt
@@ -0,0 +1,38 @@
+Title: dev-libs/openssl USE=bindist removal
+Author: Robin H. Johnson <robbat2@gentoo.org>
+Posted: 2021-10-17
+Revision: 1
+News-Item-Format: 2.0
+Display-If-Installed: dev-libs/openssl[bindist]
+
+On 2021-11-19, the base-system team will remove USE=bindist
+behavior from dev-libs/openssl, per bug #762850 [1].
+
+Users should not experience any ABI incompatibilities that
+require recompilation when moving from
+dev-libs/openssl[bindist] to dev-libs/openssl[-bindist].
+
+However, moving back in future may recompile if any binaries
+of their systems depend on the additional symbols available
+with USE=-bindist.
+
+USE=bindist on dev-libs/openssl historically applied RedHat
+work, called hobble-openssl [2], that was intended to make
+OpenSSL "safe" to distribute with regards to various
+patents, in the opinion of RedHat's legal counsel. The
+hobble-openssl, in it's last iterations, it greatly
+restricted which parts of EC (elliptic curve) were available
+[3][4]
+
+Debian & Ubuntu do not apply any similar behavior, and
+Gentoo intends to follow Debian's lead with regards to
+OpenSSL hobble-openssl moving forward.
+
+[1] https://bugs.gentoo.org/762850
+[2] Multiple files:
+ https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/hobble-openssl
+ https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/ectest.c
+ https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/ec_curve.c
+ https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/0011-Remove-EC-curves.patch
+[3] https://archives.gentoo.org/gentoo-dev/message/f0d16240bb0dd1ff38fb5223bec810ab
+[4] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#system-wide-crypto-policies_using-the-system-wide-cryptographic-policies