FS#50196 - [Pacman] Unclear configure option --with-openssl

Attached to Project: Pacman
Opened by Flow It (FlowIt) - Friday, 29 July 2016, 15:44 GMT
Last edited by Allan McRae (Allan) - Wednesday, 13 September 2017, 03:19 GMT
Task Type Bug Report
Category General
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version 5.0.1
Due in Version 5.1.0
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
configure --help in pacman says when passing --without-openssl pacman will use internal routines to perform crypto operations. Still pacman complains about missing openssl and cannot perform integrity checks.


Additional info:
* package version(s)
Tested with latest pacman, at the time of writing 5.0.1-4
* config and/or log files etc.


Steps to reproduce:
Set up a small test system without openssl (curl and coreutils should be the only packages in base that depend on openssl, and both can be build without it). Compile pacman with the --without-openssl option. Run makepkg for a PKGBUILD of your choice. Pacman will error out complaining it needs the openssl binary to perform integrity checks. Running makepkg --skipinteg works, but the expected behaviour would be that pacman uses its internal routines to perform the integrity checks.
This task depends upon

Closed by  Allan McRae (Allan)
Wednesday, 13 September 2017, 03:19 GMT
Reason for closing:  Fixed
Additional comments about closing:  git commits 603f087c and 57770125
Comment by Allan McRae (Allan) - Saturday, 30 July 2016, 01:44 GMT
So pacman works, but makepkg fails?
Comment by Flow It (FlowIt) - Saturday, 30 July 2016, 07:58 GMT
The described behaviour with integrity checking relying on OpenSSL independently of any configure option occures in makepkg, not pacman, correct. I reverted my packages back to use with OpenSSL because of that so I can't test pacman itself right now, but I remember issues when retrieving packages from https mirrors.
Comment by Allan McRae (Allan) - Saturday, 30 July 2016, 09:53 GMT
I'm going to make openssl a hard dependency.
Comment by Olivier Brunel (jjacky) - Saturday, 30 July 2016, 11:29 GMT
What does that mean, make it a hard dependency? You don't mean you want to remove --without-openssl from pacman, right? Just tweak Arch's packaging?

One can compile pacman fine using --without-openssl and it will work as expected. makepkg however does require openssl to work fully, but that's a separate thing. I'd still like to compile pacman without the need for openssl, and just use makepkg accordingly.

Sure, you can add a dependency on openssl in Arch's package "pacman" (it really should be there anyways, since it actually links it), but that has nothing to do with the --without-openssl configure option, correct?
Comment by Allan McRae (Allan) - Saturday, 30 July 2016, 11:36 GMT
No - I mean remove the ability to build pacman without openssl. We should not be providing our own crypto at all.
Comment by Flow It (FlowIt) - Saturday, 30 July 2016, 11:43 GMT
How much crypto is it? The reason why I (and probably most other users) compile pacman with --without-openssl is because I don't *trust* OpenSSL. Too much negative attention over the years.
For now I would be ok with removing the option because it clears up the confusion that you can build makepkg (as part of pacman) without openssl but makepkg itself has no internal replacements. For the future I would love to see a switch to decide between gnutls and openssl.
Comment by Allan McRae (Allan) - Saturday, 30 July 2016, 11:58 GMT
I'd trust openssl developers to provide crypto over the pacman developers any day! Can you build libarchive without openssl?
Comment by Flow It (FlowIt) - Saturday, 30 July 2016, 12:09 GMT
You can. Actually, upstream recommends using nettle instead of openssl (which would be another viable option for pacman btw)
Crypto is always a personal, irrational topic so it would be nice to give users some choice in which library they want to pull in.
I just had a quick look. Pacman pulled in openssl as an alternative to coreutils to make pacman more portable and speed up the slow internal hashing routines. It is only used for checksums.
Comment by Olivier Brunel (jjacky) - Saturday, 30 July 2016, 14:42 GMT
As said, you can build libarchive w/out openssl yes, and I for one would like you to reconsider this, because I like being able to build a pacman w/out openssl, or in fact build a "minimum" build chroot w/out it, as is possible today.
Comment by Flow It (FlowIt) - Friday, 05 August 2016, 10:56 GMT
As a compromise: Remove the usage of internal crypto, but at the same time allow a secondary crypto lib, more lightweight than OpenSSL. Nettle is such a candidate. If one builds pacman with the --with-gnupg flag to allow support for package signing nettle is already pulled in as a dependency.
The attached patch allows building pacman (and makepkg) against nettle. Especially the makepkg part is really hacky but it works as a proof of concept for now. Tests are also not covered in this patch and need further attention.
   pacman-with-nettle.patch (40.4 KiB)
Comment by Allan McRae (Allan) - Tuesday, 11 October 2016, 11:54 GMT
Sorry, I just noticed your patch. I am reworking it at the moment and will post to pacman-dev for comments soon. What name and email would you like attributed for this work?
Comment by Flow It (FlowIt) - Tuesday, 11 October 2016, 15:02 GMT
I think I had to fix my patch but if you are reworking it anyway thats fine. This was more a quick-and-dirty solution. If you see my contributions as relevant enough you can add Florian Weigelt <weigelt.florian@gmx.net> to the list of contributers. Thanks for taking a stab at this.
Comment by Allan McRae (Allan) - Wednesday, 12 October 2016, 01:32 GMT
Here is the patches I generated:

https://lists.archlinux.org/pipermail/pacman-dev/2016-October/021579.html
https://lists.archlinux.org/pipermail/pacman-dev/2016-October/021580.html

I'll give you authorship on the first one as I mostly copied your work (assuming you are happy with the changes I made). I decided we should just stick to coreutils in makepkg rather than using openssl/nettle-hash.

Loading...