Re: heimdal: remove openssl dependency

[maya%NetBSD.org@localhost]

On Wed, Oct 09, 2019 at 03:48:08PM +0000, maya%NetBSD.org@localhost wrote:
> On Wed, Oct 09, 2019 at 11:14:36AM -0400, Greg Troxel wrote:
> > yancm%sdf.org@localhost writes:
> > 
> > >> heimdal does not build against the openssl 1.1 API.
> > >>
> > >> It includes its own crypto (stripped down openssl code IIUC) called
> > >> hcrypto.
> > >>
> > >> The attached patch switches heimdal to use that instead of an openssl
> > >> package (which might be 1.1 e.g. on NetBSD-current).
> > >>
> > >> Comments?
> > >>  Thomas
> > >
> > > Stating the obvious?
> > >
> > > Short term this may not be a problem, and is pragmatic.
> > >
> > > But longer term, as openssl development focuses on 1.1+, having packages
> > > roll (excerpt) their own crypto seems a step backward that could drive
> > > multiple package updates to pull up changes just in the crypto library...
> > > and be at mercy of each package to pull up bug fixes that have been
> > > released for months in the base openssl, leaving packages potentially
> > > vulnerable.
> > 
> > Sure, but the question on the able is
> > 
> >   what should pkgsrc do now
> > 
> > as opposed to
> > 
> >   what should heimdal (upstream) do
> > 
> > 
> > The second question's answer is pretty obviously "add support for
> > openssl 1.1, and make a release".
> 
> As a third option: is this the same heimdal in netbsd base? if so, we
> have a patchset for OpenSSL 1.1.x support. It would be best shared with
> upstream, and having pkgsrc use the workaround, since it's quite
> invasive.
> 
> https://github.com/NetBSD/src/commit/482f9ddeaaa6cc55c66930a04727a8bbdec8dd2a

Also, latest heimdal has OpenSSL 1.1.1 support.