Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

preferred sequoia-openpgp crypto backend #30

Open
decathorpe opened this issue Jan 28, 2023 · 16 comments
Open

preferred sequoia-openpgp crypto backend #30

decathorpe opened this issue Jan 28, 2023 · 16 comments

Comments

@decathorpe
Copy link

As of version 1.13.0 of sequoia-openpgp, OpenSSL is now a supported crypto backend in addition to nettle, and I'm currently working on updating the Fedora packages for this crate, so this version will be available soon.

When switching to rpm-sequoia for Fedora 38 was discussed, many people seemed to prefer OpenSSL over Nettle as crypto backend if / when that became available. Would it make sense to build rpm-sequoia in Fedora with the openssl backend now? I can provide test builds in COPR if pushing it to rawhide "production" directly is not considered a good idea :)

@nwalfield
Copy link
Collaborator

I think the main people involved in the OpenSSL vs Nettle discussion on Fedora devel mailing list were: @pmatilai , @paulwouters , and @simo5. Perhaps they can share their opinion.

@pmatilai
Copy link
Member

I think https://bugzilla.redhat.com/show_bug.cgi?id=2130122 would be a better place to discuss that Fedora specific decision, but since we're already here:

The short answer: yes.

The longer answer is that it may not be crucial to Fedora, but AIUI RHEL will want openssl and so the sooner we switch to that in Fedora, the more testing it will get -> the better. I'd update sequoia-openpgp to 1.13.0 first, give it a couple of days of spin in rawhide just in case and then flip it over to openssl. Should it blow up, you can always just untag the build 😇

@paulwouters
Copy link

paulwouters commented Jan 30, 2023 via email

@simo5
Copy link

simo5 commented Jan 30, 2023

@decathorpe the reason to switch to OpenSSL is that OpenSSL has a stable ABI, while Nettle makes no promises, I think this is kind of important considering upgrade paths.
Secondarily, in RHEL we FIPS certify OpenSSL, but not nettle standalone (nettle is only certified as part of GnuTLS), so OpenSSL is more compliant.

@decathorpe
Copy link
Author

I think https://bugzilla.redhat.com/show_bug.cgi?id=2130122 would be a better place to discuss that Fedora specific decision, but since we're already here:

The default backend is defined in the upstream project, here:
https://github.com/rpm-software-management/rpm-sequoia/blob/main/Cargo.toml#L47
Which is why I thought it would be good to talk about changing the default in upstream, which Fedora could then follow.

The short answer: yes.

The longer answer is that it may not be crucial to Fedora, but AIUI RHEL will want openssl and so the sooner we switch to that in Fedora, the more testing it will get -> the better. I'd update sequoia-openpgp to 1.13.0 first, give it a couple of days of spin in rawhide just in case and then flip it over to openssl. Should it blow up, you can always just untag the build innocent

Ok, sequoia-openpgp 1.13.0 is already in Rawhide, and it doesn't look like it's causing any build issues. I haven't merged the update to F37 and F36 yet because the OpenSSL test suite fails with OpenSSL < 3.0.7, but the failure looks harmless:
https://gitlab.com/sequoia-pgp/sequoia/-/issues/979

Sounds like there is a general consensus that - while it's not as important in Fedora as it will be in RHEL - OpenSSL crypto backend would be preferred to Nettle. I will prepare a PR to change the defaults, and will provide test builds in a COPR.

@decathorpe
Copy link
Author

FYI: Builds of rpm-sequoia in Fedora 38 and Rawhide have been using the OpenSSL crypto backend for two weeks now, so this change already went through F38 Beta validation etc. As far as I can tell, everything is looking solid, and no regressions have been reported.

@nwalfield
Copy link
Collaborator

@decathorpe : Thanks for the update!

@pmatilai
Copy link
Member

@decathorpe : Oh, I hadn't noticed that at all. Thanks for letting us know!

@nwalfield
Copy link
Collaborator

The open question is: should the default be changed from nettle to openssl?

@decathorpe
Copy link
Author

From my point of view that would make sense, given that the primary user (the package in Fedora) has already made the switch. And assuming other RPM based distros (OpenSUSE? Mageia?) will use rpm-sequoia in the future, the reasons for using the OpenSSL backend instead of Nettle will likely also be similar there (but if they want to use a different backend, they can always change the default).

@nwalfield
Copy link
Collaborator

@mlschroe indicated that OpenSUSE doesn't plan to switch in the next year or two. I don't know what Mageia plans and I don't have any contacts there.

@pmatilai
Copy link
Member

I seem to recall @Conan-Kudo having some connections to Mageia 🤔

@Conan-Kudo
Copy link
Member

By the time the next Mageia release happens, it'll be a few years. If we manage to switch from URPMI to DNF in that timeframe, then it's possible it'll happen.

@pmatilai
Copy link
Member

pmatilai commented Apr 17, 2023

I fail to see how urpmi vs dnf would have anything to do with rpm crypto backend?

@Conan-Kudo
Copy link
Member

Building rust software is quite problematic with our current package build infrastructure due to non-support for almost every RPM feature introduced since RPM 4.12.

@pmatilai
Copy link
Member

Oh, okay. Fairly indirect connection then 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants
@Conan-Kudo @nwalfield @pmatilai @simo5 @decathorpe @paulwouters and others