From: "Robin H. Johnson" <robb...@gentoo.org> Signed-off-by: Robin H. Johnson <robb...@gentoo.org> --- .../2021-10-17-openssl-bindist-removal.en.txt | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 2021-10-17-openssl-bindist-removal/2021-10-17-openssl-bindist-removal.en.txt
diff --git 2021-10-17-openssl-bindist-removal/2021-10-17-openssl-bindist-removal.en.txt 2021-10-17-openssl-bindist-removal/2021-10-17-openssl-bindist-removal.en.txt new file mode 100644 index 0000000..ca6c6e6 --- /dev/null +++ 2021-10-17-openssl-bindist-removal/2021-10-17-openssl-bindist-removal.en.txt @@ -0,0 +1,38 @@ +Title: dev-libs/openssl USE=bindist removal +Author: Robin H. Johnson <robb...@gentoo.org> +Posted: 2021-10-17 +Revision: 1 +News-Item-Format: 2.0 +Display-If-Installed: dev-libs/openssl[bindist] + +On 2021-11-19, the base-system team will remove USE=bindist +behavior from dev-libs/openssl, per bug #762850 [1]. + +Users should not experience any ABI incompatibilities that +require recompilation when moving from +dev-libs/openssl[bindist] to dev-libs/openssl[-bindist]. + +However, moving back in future may recompile if any binaries +of their systems depend on the additional symbols available +with USE=-bindist. + +USE=bindist on dev-libs/openssl historically applied RedHat +work, called hobble-openssl [2], that was intended to make +OpenSSL "safe" to distribute with regards to various +patents, in the opinion of RedHat's legal counsel. The +hobble-openssl, in it's last iterations, it greatly +restricted which parts of EC (elliptic curve) were available +[3][4] + +Debian & Ubuntu do not apply any similar behavior, and +Gentoo intends to follow Debian's lead with regards to +OpenSSL hobble-openssl moving forward. + +[1] https://bugs.gentoo.org/762850 +[2] Multiple files: + https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/hobble-openssl + https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/ectest.c + https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/ec_curve.c + https://src.fedoraproject.org/rpms/openssl/blob/rawhide/f/0011-Remove-EC-curves.patch +[3] https://archives.gentoo.org/gentoo-dev/message/f0d16240bb0dd1ff38fb5223bec810ab +[4] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening#system-wide-crypto-policies_using-the-system-wide-cryptographic-policies -- 2.33.1
