Re: did libselinux grow a new build dependency? (openssl-devel: openssl.h)

[Stephen Smalley <sds@tycho.nsa.gov>]

On 10/19/2015 02:09 PM, Stephen Smalley wrote:
> On 10/18/2015 11:00 AM, Richard Haines wrote:
>>
>>
>>> On Sunday, 18 October 2015, 15:07, Dominick Grift
>>> <dac.override@gmail.com> wrote:
>>
>>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA512
>>>
>>> On Sun, Oct 18, 2015 at 12:48:12PM +0000, Richard Haines wrote:
>>>>   I added openssl to libselinux to support the new selabel_digest(3)
>>>>   function.
>>>>
>>>>   I'm not aware of any issues between openssl and gnutls, however as
>>>>
>>>>   selabel_digest was only added last week I guess not much testing.
>>>>   Well apart from myself as I'm currently adding the selinux_restorecon
>>>>   feature that makes use of it.
>>>>
>>>
>>> Thanks for clarifying, I am not hitting any issues with it just
>>> wondering if instead of openssl, gnutls could be used for this and if
>>
>>> so, if this should be somehow supported or not.
>>
>> I tried using gnutls after I read your initial email, however I
>> could not find a way to generate the same digest as openssl
>> (I changed the SHA1 function to gnutls_hmac_fast(3) with various
>> algorithms and used the selabel_digest util to compare digests).
>> It could be that I should use some other function but I could
>>
>> not find any useful info on this (including web searches).
>> If anyone knows how to resolve this please let me know.
>>
>> I guess what is supported (openssl or gnutls) would be down to
>> the maintainers.
>
> Wondering if dependency on openssl might be a license issue for Debian
> or others.  Apparently openssl license is considered GPL-incompatible
> [1] [2], and obviously libselinux is linked by a variety of GPL-licensed
> programs.  Fedora seems to view this as falling under the system library
> exception [3] but not clear that other distributions would view it that
> way.  On the other hand, using gnutls would be subject to the reverse
> problem; it would make libselinux depend on a LGPL library, and that
> could create issues for non-GPL programs that statically link
> libselinux.  We might need to revert this change and revisit how to
> solve this in a manner that avoids such issues.
>
> [1] http://www.gnu.org/licenses/license-list.en.html#OpenSSL
>
> [2] https://people.gnome.org/~markmc/openssl-and-the-gpl.html
>
> [3]
> https://fedoraproject.org/wiki/Licensing:FAQ?rd=Licensing/FAQ#What.27s_the_deal_with_the_OpenSSL_license.3F)

Also, aside from license issues, we likely ought to dlopen libcrypto.so 
so that we don't bring this dependency to all users of libselinux but 
only those that actually use the digest functionality.