[RFC] move openssl.cnf file into base openssl package

[RFC] move openssl.cnf file into base openssl package

[Maupin, Chase]

All,

Currently in openssl.inc the openssl.cnf file is being placed in the openssl-misc package.  However, when running the openssl command you will frequently receive warnings about this configuration file missing.  i.e.:

WARNING: can't open config file: /usr/lib/ssl/openssl.cnf

Also, when running the command "openssl req" to request and generate a certificate the command will fail without the openssl.cnf file being installed on the target system. i.e.

WARNING: can't open config file: /usr/lib/ssl/openssl.cnf
Unable to load config info from /usr/lib/ssl/openssl.cnf

Is there a reason why this file is placed in the misc package since it seems to be either looked for or required by the openssl executable shipped in the base openssl package?

From the log I see that the openssl.cnf file was originally added to the libcrypto package since it was accessed directly from libcrypto (commit f95a95435ca79e7b9942b6e321d30e264c728791).  I then see that it was moved the file to the misc package to make different libcrypto versions parallel installable (commit 26b7d6514111d5ac0171c1834fa85d4576d783bf) but no other justification as to why the .cnf was placed in the misc instead of base package.

I have a patch to move the openssl.cnf file into the openssl package but I wanted to better understand why this file was not already in the openssl package before submitting my patch. 

Sincerely,
Chase Maupin

Re: [RFC] move openssl.cnf file into base openssl package

[Roman I Khimov]

[-- Attachment #1: Type: Text/Plain, Size: 1115 bytes --]

В сообщении от Среда 15 декабря 2010 21:38:07 автор Maupin, Chase написал:
> From the log I see that the openssl.cnf file was originally added to the
>  libcrypto package since it was accessed directly from libcrypto (commit
>  f95a95435ca79e7b9942b6e321d30e264c728791).  I then see that it was moved
>  the file to the misc package to make different libcrypto versions parallel
>  installable (commit 26b7d6514111d5ac0171c1834fa85d4576d783bf) but no other
>  justification as to why the .cnf was placed in the misc instead of base
>  package.
> 
> I have a patch to move the openssl.cnf file into the openssl package but I
>  wanted to better understand why this file was not already in the openssl
>  package before submitting my patch.

Missed that change. Seems wrong to me. And I still think that it belongs to 
libcrypto, not openssl since you can easily not install openssl binary and  
still use it with tuned openssl.cnf in your apps.

-- 
 http://roman.khimov.ru
mailto: roman@khimov.ru
gpg --keyserver hkp://subkeys.pgp.net --recv-keys 0xE5E055C3

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 205 bytes --]

Re: [RFC] move openssl.cnf file into base openssl package

[Maupin, Chase]

> -----Original Message-----
> From: openembedded-devel-bounces@lists.openembedded.org
> [mailto:openembedded-devel-bounces@lists.openembedded.org] On Behalf Of
> Roman I Khimov
> Sent: Wednesday, December 15, 2010 1:41 PM
> To: openembedded-devel@lists.openembedded.org
> Subject: Re: [oe] [RFC] move openssl.cnf file into base openssl package
> 
> В сообщении от Среда 15 декабря 2010 21:38:07 автор Maupin, Chase написал:
> > From the log I see that the openssl.cnf file was originally added to the
> >  libcrypto package since it was accessed directly from libcrypto (commit
> >  f95a95435ca79e7b9942b6e321d30e264c728791).  I then see that it was
> moved
> >  the file to the misc package to make different libcrypto versions
> parallel
> >  installable (commit 26b7d6514111d5ac0171c1834fa85d4576d783bf) but no
> other
> >  justification as to why the .cnf was placed in the misc instead of base
> >  package.
> >
> > I have a patch to move the openssl.cnf file into the openssl package but
> I
> >  wanted to better understand why this file was not already in the
> openssl
> >  package before submitting my patch.
> 
> Missed that change. Seems wrong to me. And I still think that it belongs
> to
> libcrypto, not openssl since you can easily not install openssl binary and
> still use it with tuned openssl.cnf in your apps.

So it seems like there are two packages that need this default openssl.cnf file, the libcrypto and openssl packages.  Would it perhaps be a better idea to pull the configuration file into its own package and then set the RDEPENDS for the libcrypto and openssl packages to use the openssl configuration package?  That way you can still have multiple versions of libcrypto (like Koen was trying to do) and have the default file shared between both packages that need it.

> 
> --
>  http://roman.khimov.ru
> mailto: roman@khimov.ru
> gpg --keyserver hkp://subkeys.pgp.net --recv-keys 0xE5E055C3

Re: [RFC] move openssl.cnf file into base openssl package

[Roman I Khimov]

[-- Attachment #1: Type: Text/Plain, Size: 1178 bytes --]

В сообщении от Среда 15 декабря 2010 22:47:05 автор Maupin, Chase написал:
> > Missed that change. Seems wrong to me. And I still think that it belongs
> > to
> > libcrypto, not openssl since you can easily not install openssl binary
> > and still use it with tuned openssl.cnf in your apps.
> 
> So it seems like there are two packages that need this default openssl.cnf
>  file, the libcrypto and openssl packages.  Would it perhaps be a better
>  idea to pull the configuration file into its own package and then set the
>  RDEPENDS for the libcrypto and openssl packages to use the openssl
>  configuration package? That way you can still have multiple versions of
>  libcrypto (like Koen was trying to do) and have the default file shared
>  between both packages that need it.

openssl is rdepending on libcrypto anyway (it's linked with it and I don't 
think it'll change any time soon). But configs for different versions can be 
conflicting, so I'm not sure this kind of approach solves anything.

-- 
 http://roman.khimov.ru
mailto: roman@khimov.ru
gpg --keyserver hkp://subkeys.pgp.net --recv-keys 0xE5E055C3

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 205 bytes --]

Re: [RFC] move openssl.cnf file into base openssl package

[Maupin, Chase]

> -----Original Message-----
> From: openembedded-devel-bounces@lists.openembedded.org
> [mailto:openembedded-devel-bounces@lists.openembedded.org] On Behalf Of
> Roman I Khimov
> Sent: Wednesday, December 15, 2010 2:39 PM
> To: openembedded-devel@lists.openembedded.org
> Subject: Re: [oe] [RFC] move openssl.cnf file into base openssl package
> 
> В сообщении от Среда 15 декабря 2010 22:47:05 автор Maupin, Chase написал:
> > > Missed that change. Seems wrong to me. And I still think that it
> belongs
> > > to
> > > libcrypto, not openssl since you can easily not install openssl binary
> > > and still use it with tuned openssl.cnf in your apps.
> >
> > So it seems like there are two packages that need this default
> openssl.cnf
> >  file, the libcrypto and openssl packages.  Would it perhaps be a better
> >  idea to pull the configuration file into its own package and then set
> the
> >  RDEPENDS for the libcrypto and openssl packages to use the openssl
> >  configuration package? That way you can still have multiple versions of
> >  libcrypto (like Koen was trying to do) and have the default file shared
> >  between both packages that need it.
> 
> openssl is rdepending on libcrypto anyway (it's linked with it and I don't
> think it'll change any time soon). But configs for different versions can
> be
> conflicting, so I'm not sure this kind of approach solves anything.

I noticed that.  I think the only thing that putting this into its own package would solve is addressing Koen's comment about having multiple versions of libcrypto installed.

Koen, can you comment on your change that moved the openssl.cnf file to the misc package?  Do you still need to be able to install multiple versions of libcrypto?

> 
> --
>  http://roman.khimov.ru
> mailto: roman@khimov.ru
> gpg --keyserver hkp://subkeys.pgp.net --recv-keys 0xE5E055C3

Re: [RFC] move openssl.cnf file into base openssl package

[Koen Kooi]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 16-12-10 15:04, Maupin, Chase wrote:
>> -----Original Message-----
>> From: openembedded-devel-bounces@lists.openembedded.org
>> [mailto:openembedded-devel-bounces@lists.openembedded.org] On Behalf Of
>> Roman I Khimov
>> Sent: Wednesday, December 15, 2010 2:39 PM
>> To: openembedded-devel@lists.openembedded.org
>> Subject: Re: [oe] [RFC] move openssl.cnf file into base openssl package
>>
>> В сообщении от Среда 15 декабря 2010 22:47:05 автор Maupin, Chase написал:
>>>> Missed that change. Seems wrong to me. And I still think that it
>> belongs
>>>> to
>>>> libcrypto, not openssl since you can easily not install openssl binary
>>>> and still use it with tuned openssl.cnf in your apps.
>>>
>>> So it seems like there are two packages that need this default
>> openssl.cnf
>>>  file, the libcrypto and openssl packages.  Would it perhaps be a better
>>>  idea to pull the configuration file into its own package and then set
>> the
>>>  RDEPENDS for the libcrypto and openssl packages to use the openssl
>>>  configuration package? That way you can still have multiple versions of
>>>  libcrypto (like Koen was trying to do) and have the default file shared
>>>  between both packages that need it.
>>
>> openssl is rdepending on libcrypto anyway (it's linked with it and I don't
>> think it'll change any time soon). But configs for different versions can
>> be
>> conflicting, so I'm not sure this kind of approach solves anything.
> 
> I noticed that.  I think the only thing that putting this into its own package would solve is addressing Koen's comment about having multiple versions of libcrypto installed.
> 
> Koen, can you comment on your change that moved the openssl.cnf file to the misc package?  Do you still need to be able to install multiple versions of libcrypto?

Yes, I still need to be able to do that, couldn't you just add an
rrecommend for -misc?

regards,

Koen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFNCh3dMkyGM64RGpERAseRAJ9KEl9B6YuGjRmZNzK3mFGhMZlAlwCfYJqK
1MNv3HdFqJteWCrn+kFD48Q=
=eo6B
-----END PGP SIGNATURE-----

Re: [RFC] move openssl.cnf file into base openssl package

[Maupin, Chase]

> -----Original Message-----
> From: openembedded-devel-bounces@lists.openembedded.org
> [mailto:openembedded-devel-bounces@lists.openembedded.org] On Behalf Of
> Roman I Khimov
> Sent: Thursday, December 16, 2010 8:32 AM
> To: openembedded-devel@lists.openembedded.org
> Subject: Re: [oe] [RFC] move openssl.cnf file into base openssl package
> 
> В сообщении от Четверг 16 декабря 2010 17:10:37 автор Koen Kooi написал:
> > >>> So it seems like there are two packages that need this default
> > >> openssl.cnf
> > >>
> > >>>  file, the libcrypto and openssl packages.  Would it perhaps be a
> > >>>  better idea to pull the configuration file into its own package and
> > >>>  then set
> > >> the
> > >>>  RDEPENDS for the libcrypto and openssl packages to use the openssl
> > >>>  configuration package? That way you can still have multiple
> versions
> > >>>  of libcrypto (like Koen was trying to do) and have the default file
> > >>>  shared between both packages that need it.
> > >>
> > >> openssl is rdepending on libcrypto anyway (it's linked with it and I
> > >> don't think it'll change any time soon). But configs for different
> > >> versions can be
> > >> conflicting, so I'm not sure this kind of approach solves anything.
> > >
> > > I noticed that.  I think the only thing that putting this into its own
> > > package would solve is addressing Koen's comment about having multiple
> > > versions of libcrypto installed.
> > >
> > > Koen, can you comment on your change that moved the openssl.cnf file
> to
> > > the misc package?  Do you still need to be able to install multiple
> > > versions of libcrypto?
> >
> > Yes, I still need to be able to do that, couldn't you just add an
> > rrecommend for -misc?
> 
> To get all -misc stuff? I'd opt for putting openssl.cnf in its own package
> and
> setting it as RRECOMMENDS for libcrypto in that case.

Agreed.  Although would you say RRECOMMENDS or RDEPENDS?  On the one hand you could specify a conf file at another location, but in the case of running "openssl req" with no conf file installed the command fails, so would you say you REDEPEND instead on the conf file?

> 
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel

Re: [RFC] move openssl.cnf file into base openssl package

[Roman I Khimov]

В сообщении от Четверг 16 декабря 2010 17:10:37 автор Koen Kooi написал:
> >>> So it seems like there are two packages that need this default
> >> openssl.cnf
> >> 
> >>>  file, the libcrypto and openssl packages.  Would it perhaps be a
> >>>  better idea to pull the configuration file into its own package and
> >>>  then set
> >> the
> >>>  RDEPENDS for the libcrypto and openssl packages to use the openssl
> >>>  configuration package? That way you can still have multiple versions
> >>>  of libcrypto (like Koen was trying to do) and have the default file
> >>>  shared between both packages that need it.
> >> 
> >> openssl is rdepending on libcrypto anyway (it's linked with it and I
> >> don't think it'll change any time soon). But configs for different
> >> versions can be
> >> conflicting, so I'm not sure this kind of approach solves anything.
> > 
> > I noticed that.  I think the only thing that putting this into its own
> > package would solve is addressing Koen's comment about having multiple
> > versions of libcrypto installed.
> > 
> > Koen, can you comment on your change that moved the openssl.cnf file to
> > the misc package?  Do you still need to be able to install multiple
> > versions of libcrypto?
> 
> Yes, I still need to be able to do that, couldn't you just add an
> rrecommend for -misc?

To get all -misc stuff? I'd opt for putting openssl.cnf in its own package and 
setting it as RRECOMMENDS for libcrypto in that case.

Re: [RFC] move openssl.cnf file into base openssl package

[Roman I Khimov]

В сообщении от Четверг 16 декабря 2010 17:30:58 автор Maupin, Chase написал:
> > -----Original Message-----
> > From: openembedded-devel-bounces@lists.openembedded.org
> > [mailto:openembedded-devel-bounces@lists.openembedded.org] On Behalf Of
> > Roman I Khimov
> > Sent: Thursday, December 16, 2010 8:32 AM
> > To: openembedded-devel@lists.openembedded.org
> > Subject: Re: [oe] [RFC] move openssl.cnf file into base openssl package
> > 
> > В сообщении от Четверг 16 декабря 2010 17:10:37 автор Koen Kooi написал:
> > > >>> So it seems like there are two packages that need this default
> > > >> 
> > > >> openssl.cnf
> > > >> 
> > > >>>  file, the libcrypto and openssl packages.  Would it perhaps be a
> > > >>>  better idea to pull the configuration file into its own package
> > > >>>  and then set
> > > >> 
> > > >> the
> > > >> 
> > > >>>  RDEPENDS for the libcrypto and openssl packages to use the openssl
> > > >>>  configuration package? That way you can still have multiple
> > 
> > versions
> > 
> > > >>>  of libcrypto (like Koen was trying to do) and have the default
> > > >>>  file shared between both packages that need it.
> > > >> 
> > > >> openssl is rdepending on libcrypto anyway (it's linked with it and I
> > > >> don't think it'll change any time soon). But configs for different
> > > >> versions can be
> > > >> conflicting, so I'm not sure this kind of approach solves anything.
> > > > 
> > > > I noticed that.  I think the only thing that putting this into its
> > > > own package would solve is addressing Koen's comment about having
> > > > multiple versions of libcrypto installed.
> > > > 
> > > > Koen, can you comment on your change that moved the openssl.cnf file
> > 
> > to
> > 
> > > > the misc package?  Do you still need to be able to install multiple
> > > > versions of libcrypto?
> > > 
> > > Yes, I still need to be able to do that, couldn't you just add an
> > > rrecommend for -misc?
> > 
> > To get all -misc stuff? I'd opt for putting openssl.cnf in its own
> > package and
> > setting it as RRECOMMENDS for libcrypto in that case.
> 
> Agreed.  Although would you say RRECOMMENDS or RDEPENDS?

I've just said above, RRECOMMENDS. Most applications using libcrypto can work 
without a default config file. They even worked for a long time before I've 
packaged it. But you get it installed by default with RRECOMMENDS, and only if 
you know what you're doing you add it in BAD_RECOMMENDATIONS or delete it in 
some other way.

Speaking of which, it should also be listed in CONFFILES, missed that in 
March.

Re: [RFC] move openssl.cnf file into base openssl package

[Maupin, Chase]

> -----Original Message-----
> From: openembedded-devel-bounces@lists.openembedded.org
> [mailto:openembedded-devel-bounces@lists.openembedded.org] On Behalf Of
> Roman I Khimov
> Sent: Thursday, December 16, 2010 8:57 AM
> To: openembedded-devel@lists.openembedded.org
> Subject: Re: [oe] [RFC] move openssl.cnf file into base openssl package
> 
> В сообщении от Четверг 16 декабря 2010 17:30:58 автор Maupin, Chase
> написал:
> > > -----Original Message-----
> > > From: openembedded-devel-bounces@lists.openembedded.org
> > > [mailto:openembedded-devel-bounces@lists.openembedded.org] On Behalf
> Of
> > > Roman I Khimov
> > > Sent: Thursday, December 16, 2010 8:32 AM
> > > To: openembedded-devel@lists.openembedded.org
> > > Subject: Re: [oe] [RFC] move openssl.cnf file into base openssl
> package
> > >
> > > В сообщении от Четверг 16 декабря 2010 17:10:37 автор Koen Kooi
> написал:
> > > > >>> So it seems like there are two packages that need this default
> > > > >>
> > > > >> openssl.cnf
> > > > >>
> > > > >>>  file, the libcrypto and openssl packages.  Would it perhaps be
> a
> > > > >>>  better idea to pull the configuration file into its own package
> > > > >>>  and then set
> > > > >>
> > > > >> the
> > > > >>
> > > > >>>  RDEPENDS for the libcrypto and openssl packages to use the
> openssl
> > > > >>>  configuration package? That way you can still have multiple
> > >
> > > versions
> > >
> > > > >>>  of libcrypto (like Koen was trying to do) and have the default
> > > > >>>  file shared between both packages that need it.
> > > > >>
> > > > >> openssl is rdepending on libcrypto anyway (it's linked with it
> and I
> > > > >> don't think it'll change any time soon). But configs for
> different
> > > > >> versions can be
> > > > >> conflicting, so I'm not sure this kind of approach solves
> anything.
> > > > >
> > > > > I noticed that.  I think the only thing that putting this into its
> > > > > own package would solve is addressing Koen's comment about having
> > > > > multiple versions of libcrypto installed.
> > > > >
> > > > > Koen, can you comment on your change that moved the openssl.cnf
> file
> > >
> > > to
> > >
> > > > > the misc package?  Do you still need to be able to install
> multiple
> > > > > versions of libcrypto?
> > > >
> > > > Yes, I still need to be able to do that, couldn't you just add an
> > > > rrecommend for -misc?
> > >
> > > To get all -misc stuff? I'd opt for putting openssl.cnf in its own
> > > package and
> > > setting it as RRECOMMENDS for libcrypto in that case.
> >
> > Agreed.  Although would you say RRECOMMENDS or RDEPENDS?
> 
> I've just said above, RRECOMMENDS. Most applications using libcrypto can
> work
> without a default config file. They even worked for a long time before
> I've
> packaged it. But you get it installed by default with RRECOMMENDS, and
> only if
> you know what you're doing you add it in BAD_RECOMMENDATIONS or delete it
> in
> some other way.
> 
> Speaking of which, it should also be listed in CONFFILES, missed that in
> March.

I'll submit a patch for this today.  Thanks for the input.

> 
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel@lists.openembedded.org
> http://lists.linuxtogo.org/cgi-bin/mailman/listinfo/openembedded-devel