Re: heimdal: remove openssl dependency

[maya%NetBSD.org@localhost]

On Wed, Oct 09, 2019 at 11:14:36AM -0400, Greg Troxel wrote:
> yancm%sdf.org@localhost writes:
> 
> >> heimdal does not build against the openssl 1.1 API.
> >>
> >> It includes its own crypto (stripped down openssl code IIUC) called
> >> hcrypto.
> >>
> >> The attached patch switches heimdal to use that instead of an openssl
> >> package (which might be 1.1 e.g. on NetBSD-current).
> >>
> >> Comments?
> >>  Thomas
> >
> > Stating the obvious?
> >
> > Short term this may not be a problem, and is pragmatic.
> >
> > But longer term, as openssl development focuses on 1.1+, having packages
> > roll (excerpt) their own crypto seems a step backward that could drive
> > multiple package updates to pull up changes just in the crypto library...
> > and be at mercy of each package to pull up bug fixes that have been
> > released for months in the base openssl, leaving packages potentially
> > vulnerable.
> 
> Sure, but the question on the able is
> 
>   what should pkgsrc do now
> 
> as opposed to
> 
>   what should heimdal (upstream) do
> 
> 
> The second question's answer is pretty obviously "add support for
> openssl 1.1, and make a release".

As a third option: is this the same heimdal in netbsd base? if so, we
have a patchset for OpenSSL 1.1.x support. It would be best shared with
upstream, and having pkgsrc use the workaround, since it's quite
invasive.

https://github.com/NetBSD/src/commit/482f9ddeaaa6cc55c66930a04727a8bbdec8dd2a