Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in Unsupported. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#54887 - [openssl] remove perl from dependency of the openssl package

Attached to Project: Arch Linux
Opened by Damjan Georgievski (damjan) - Thursday, 20 July 2017, 11:29 GMT
Last edited by Eli Schwartz (eschwartz) - Thursday, 20 July 2017, 13:38 GMT
Task Type Feature Request
Category Packages: Core
Status Assigned
Assigned To Pierre Schmitz (Pierre)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 7
Private No

Details

the openssl package has a dependency on perl. this makes even the smallest arch install (containers) needlessly bloated with perl.

perl is required only for one script "/usr/bin/c_rehash", but c_rehash is not used in Arch (it probably has been used in the past for updating the trust store).

The trust policy store nowdays is setup by update-ca-trust from the ca-certificates-utils package, which uses a tool from p11-kit.

Also, upstream provides an "openssl rehash" subcommand which they claim is almost the same.

a side note:
Fedora packages c_rehash in a separate openssl-perl package, which is only required by 2 packages: burp-server and check-create-certificate (not required further).
Debian depends on perl for debconf (otherwise c_rehash is in the openssl package, but not in libssl*)

ps.
new issue opened as suggested by Allan McRae
This task depends upon

Comment by James Groom (YoshiRulz) - Tuesday, 19 December 2017, 04:01 GMT
In a previous thread,  FS#14903 , it came up that simply removing the perl dependency from openssl may break some of the >200 other packages which depend on it, if they happen to require Perl but don't directly depend on it. So, I grabbed these lists from the official repo.
The following depend on openssl and not perl:
aircrack-ng, apache, archboot, argyllcms, axel, badvpn, bigloo, bind-tools, bip, bitcoin-tx, boinctui, borg, cgit, coreutils, couchdb, cowpatty, dsniff, dspam, easy-rsa, efitools, elinks, encfs, erlang, erlang-nox, erlang200, exim, fdm, fetchmail, fossil, freerdp, freetds, galera, gambas3-gb-openssl, gftp, gnustep-base, gsoap, gwenhywfar, haproxy, hostapd, httping, httrack, iperf3, ipmitool, iputils, keepalived, ldns, lib32-openssl, libarchive, libesmtp, libevent, libexosip2, libircclient, libmariadbclient, libmesode, libperconaserverclient, librabbitmq-c, libsasl, libshairport, libshout, libssh2, libstrophe, libtorrent, libvncserver, libwebsockets, lua-sec, lua51-sec, lua52-sec, lynx, medusa, mktorrent, monit, nghttp2, nginx, nginx-mainline, ngircd, nmap, ntp, open-isns, opendkim, openimageio, openntpd, opensips, openslp, openvswitch, opusfile, p3scan, pam_mount, parity, parrot, partimage, pixiewps, pkcs11-helper, podofo, postgresql-libs, powerdns, powerdns-recursor, prosody, proxytunnel, pulseaudio-zeroconf, pwsafe, pypy, pypy3, python, python-pyopenssl, python2, python2-pyopenssl, radare2, restbed, rkt, ruby, s-nail, sbsigntools, scrypt, shairport-sync, siege, slimjet, slowhttptest, slrn, socat, sofia-sip, ssmtp, stellarium, stunnel, tarantool, tarsnap, tcltls, tcpdump, tcpflow, testdisk, thc-ipv6, thrift, tinc, tnftp, uboot-tools, unshield, vde2, vpnc, w3m, webfs, wimlib, xmlsec, yara, zathura-pdf-mupdf

The following depend on openssl and one or more of the above (given), and not perl:
archboot (a lot of things), bind (bind-tools), curl (libssh2), dovecot (libmariadbclient, postgresql-libs), ejabberd (erlang-nox), esmtp (libesmtp), hydra (libmariadbclient, postgresql-libs), libasr (libevent), libvirt (libsasl, python2), mariadb-clients (libmariadbclient), mongodb (libsasl), mosquitto (libwebsockets), mutt (libsasl), nsd (libevent), ntop (libevent, python2), open-iscsi (open-isns), openssh (ldns), openvpn (pkcs11-helper), ostree (libarchive), poco (libmariadbclient), postfix (libmariadbclient, libsasl, postgresql-libs), postgresql-old-upgrade (postgresql-libs), pyrit (python2), python2-m2crypto (python2), ruby-eventmachine (ruby), sslsplit (libevent), swi-prolog (libarchive), testssl.sh (bind-tools, coreutils), tor (libevent), unbound (libevent), virtualbox (python2), x11vnc (libvncserver)

The following depend on openssl, depend on curl and/or libssh2, and don't depend on perl:
arch-audit, cower, dovecot, ettercap, ettercap-gtk, lastpass-cli, libcurl-compat, libgit2, libvirt, mupdf, strongswan, synergy, unrealircd, virtualbox

Even assuming that Ruby, Python, and their dependents don't use Perl, there's still >150 packages (not counting THEIR dependents) which need to be checked for Perl usage. Alternatively, in what I think is the safest move, annoy their maintainers by moving the perl dependency to each of them.
Comment by Evgeniy (evgeniy) - Tuesday, 27 November 2018, 22:33 GMT
It would be nice feature for small docker images.
Comment by Bruno Pagani (ArchangeGabriel) - Tuesday, 22 January 2019, 16:57 GMT
So they are two issues at hand here: openssl depending on perl for almost no reason, and then lots of packages not depending on perl because relying on openssl (which they depend upon) to do it for them.

We need to fix the second one at distro level (by forbidding transient dependencies) before changing openssl deps is doable.

However, not that coreutils for instance is in your above list, and removing this package from a system seems a bad idea. So I’m afraid that your initial goal (avoiding perl) is unreachable.
Comment by Damjan Georgievski (damjan) - Tuesday, 22 January 2019, 18:48 GMT
Sorry, I didn't understand,
are you saying that coreutils requires perl (not the package, but actually)?

looking through the /usr/bin/ files from coreutils, I can't see anything using perl as a script or linked to perl.
Comment by Bruno Pagani (ArchangeGabriel) - Tuesday, 22 January 2019, 18:54 GMT
Sorry, I misread the first line (if they happen to require Perl but don't directly depend on it). I thought the list was package requiring Perl but not depending on it, actually it’s just packages potentially depending on Perl.
Comment by Eli Schwartz (eschwartz) - Friday, 01 March 2019, 02:05 GMT
According to my calculations there are currently

6473 packages which depend on openssl in one way or another, and
4204 which depend on perl in one way or another (not including via openssl)

There are 3540 packages that depend on openssl but do not otherwise have perl in their dependency tree, list is attached.

Of course this says nothing about whether a package assumes that pacman is installed...

I'm inclined to think, anyway, that assuming core works and we trial things in testing for a bit, this should be doable. In the meantime, I've discovered three packages that link to libperl.so and do not depend on it except through openssl:

irssi
=> /usr/bin/irssi
openldap
=> /usr/lib/slapd
postgresql-old-upgrade
=> /opt/pgsql-10/lib/hstore_plperl.so
=> /opt/pgsql-10/lib/plperl.so
Comment by xyz (sjon) - Thursday, 10 October 2019, 13:19 GMT
I rewrote c_rehash in bash to fix this [1] but indeed - c_rehash isn't needed at all anymore as it is already included in the openssl binary itself.

if packages depend on openssl they shouldn't assume perl is installed as well. If they do, that can only be found & fixed by removing perl from the requirements of openssl

please fix this

1. https://github.com/openssl/openssl/pull/10123
Comment by Eli Schwartz (eschwartz) - Monday, 25 November 2019, 20:40 GMT
I wrote a dumb script to try to exit 0 if a package either links to libperl, or has a file containing a shebang line and which invokes perl (via shebangs or bash subprocesses or whatever): https://paste.xinu.at/BIUF8eN/
(The actual check is dumb as a rock, and simply tries to see if the literal string '\bperl\b' exists with regular expression \b word boundaries.)

Now I'm running the following loop on dragon, which has a full package mirror:

for i in /srv/ftp/pool/*/*.pkg.tar.xz; do if ! bsdtar -xOf "$i" .PKGINFO | grep -qE '^(opt)?depend = .*perl.*'; then bin/detect-perl-in-package.sh "$i" && echo "$i: depends on perl"; fi; done

Let's see what happens. I *think* in theory this should tell us everything (plus false positives, sigh).
Comment by Eli Schwartz (eschwartz) - Wednesday, 27 November 2019, 06:34 GMT
Found the final list of packages which somehow mention perl. Note: there are false positives, for example python has a .py file which mentions its algorithm is "is based on the perl module Text::Unidecode".

it will need to be further filtered...

EDIT: paste link updated to https://paste.xinu.at/PZ3QnT/
Comment by Eli Schwartz (eschwartz) - Monday, 11 May 2020, 18:59 GMT
I'm sporadically updating this list with details of what I've detected in each package, this list can be found at https://pkgbuild.com/~eschwartz/perl-stuff.txt

Some packages are marked as false positives (occasionally with details), others have recommended guidance, or notes on which files need perl (but it's not always clear if those files are important).

Loading...