Hi all,

This seems to be related to https://lists.debian.org/debian-dpkg/2023/06/msg00059.html
which I've found after I've created this patch already. The motivation
is not to use openssl instead of libmd, but to have the option to use it
in addition to.

For openSUSE, we have dpkg in Ring0 rebuild set. It means, this set of
packages is rebuild quite often and is always consistent. Adding
additional dependencies, even small ones like libmd, increases the load
that is placed on our infrastructure.

So the purpose here is to add support for OpenSSL while keeping libmd as
the primary source of the hashing function.

For the record, I do agree with the initial rationale of replacing the
in-tree implementation with libmd.

- Adam

PS. Please CC me in replies as I'm not on this list.

From da3057e9c050f4b831c448d80510b51f5d4f1d50 Mon Sep 17 00:00:00 2001

From: Adam Majer <adamm@zombino.com>
Date: Thu, 20 Jul 2023 16:01:06 +0200
Subject: [PATCH] build: add support for OpenSSL for hashing

In 2767801430de3c6d4ec7394e286fc261a8180feb dpkg fully switched
to libmd for hasing instead of in-tree version. For distributions
like openSUSE Tumbleweed, this adds additional dependencies in
the rebuild set. Using library like OpenSSL that is already
in this rebuild set, doesn't add additional dependencies.

This patch adds support for using OpenSSL for hash calculation.

Signed-off-by: Adam Majer <adamm@zombino.com>
---
configure.ac | 8 ++++++++
lib/dpkg/Makefile.am | 2 +-
lib/dpkg/buffer.c | 10 +++++++++-
m4/dpkg-libs.m4 | 21 ++++++++++++++++++---
4 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/configure.ac b/configure.ac
index d1fa8357d..f8b8f4eae 100644
--- a/configure.ac
+++ b/configure.ac
@@ -97,6 +97,13 @@ AC_SYS_LARGEFILE
# Checks for libraries.
DPKG_LIB_RT
DPKG_LIB_MD
+AS_IF([test "x$have_libmd" = "xno"], [
+ DPKG_LIB_OPENSSL
+ AS_IF([test "x$have_crypto" = "xno"], [
+ AC_MSG_FAILURE([md5 digest functions not found in libmd or openssl])
+ ])
+])
+
DPKG_LIB_Z
DPKG_LIB_BZ2
DPKG_LIB_LZMA
@@ -308,6 +315,7 @@ Configuration:
libkvm . . . . . . . . . . . : ${have_libkvm:-no}
libselinux . . . . . . . . . : $have_libselinux
libmd . . . . . . . . . . . . : $have_libmd
+ libcryto . . . . . . . . . . : $have_libcrypto
libz . . . . . . . . . . . . : $have_libz_impl
liblzma . . . . . . . . . . . : $have_liblzma

Hi!

On Thu, 2023-07-20 at 16:58:32 +0200, Adam Majer wrote:

This seems to be related to https://lists.debian.org/debian-dpkg/2023/06/msg00059.html
which I've found after I've created this patch already. The motivation
is not to use openssl instead of libmd, but to have the option to use it
in addition to.

The same reasoning from my replies applies here. In addition it seems
the low-level hashing functions are deprecated for public consumption.

For openSUSE, we have dpkg in Ring0 rebuild set. It means, this set of packages is rebuild quite often and is always consistent. Adding
additional dependencies, even small ones like libmd, increases the load
that is placed on our infrastructure.

Hmm, I mean I don't know how openSUSE infra works and all, but it feels
weird that a tiny dependency would incur such additional load. In
Debian for example it's a plus that the build image is as minimal as
possible so that no accidental build dependencies go unnoticed.

So the purpose here is to add support for OpenSSL while keeping libmd as
the primary source of the hashing function.

Given that AFIUI the higher level OpenSSL functions might decide to
refuse to provide such implementations depending on the build-time or
run-time configuration and configured policies of the library, it does
not look like something I'd like to support TBH.

For the record, I do agree with the initial rationale of replacing the in-tree implementation with libmd.

I think it libmd would be so problematic to the point of wanting to be
avoided, I'd rather re-embed the digest function code. :/

Thanks,
Guillem

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)