[PATCH bpf-next v2] bpftool: Allow explicitly skip llvm, libbfd and libcrypto dependencies

[PATCH bpf-next v2] bpftool: Allow explicitly skip llvm, libbfd and libcrypto dependencies

[Mykyta Yatsenko]

From: Mykyta Yatsenko <yatsenko@meta.com>

Introduce SKIP_LLVM, SKIP_LIBBFD, and SKIP_CRYPTO build flags that let
users build bpftool without these optional dependencies.

SKIP_LLVM=1 skips LLVM even when detected. SKIP_LIBBFD=1 prevents the
libbfd JIT disassembly fallback when LLVM is absent. Together, they
produce a bpftool with no disassembly support.

SKIP_CRYPTO=1 excludes sign.c and removes the -lcrypto link dependency.
Inline stubs in main.h return errors with a clear message if signing
functions are called at runtime.

Use BPFTOOL_WITHOUT_CRYPTO (not HAVE_LIBCRYPTO_SUPPORT) as the C
define, following the BPFTOOL_WITHOUT_SKELETONS naming convention for
bpftool-internal build config, leaving HAVE_LIBCRYPTO_SUPPORT free for
proper feature detection in the future.

All three flags are propagated through the selftests Makefile to bpftool
sub-builds.

Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
---
Changes in v2:
- CRYPTO_LIBS defined before use
- Error messages updated — stubs now say
"bpftool was built without signing support" instead of "program signing
requires libcrypto".
- Link to v1: https://lore.kernel.org/r/20260312-b4-bpftool_build-v1-1-1aadfecaf534@meta.com
---
 tools/bpf/bpftool/Makefile           | 30 ++++++++++++++++++++++++++----
 tools/bpf/bpftool/main.c             |  7 +++++++
 tools/bpf/bpftool/main.h             | 14 ++++++++++++++
 tools/testing/selftests/bpf/Makefile |  8 ++++++++
 4 files changed, 55 insertions(+), 4 deletions(-)

diff --git a/tools/bpf/bpftool/Makefile b/tools/bpf/bpftool/Makefile
index 519ea5cb8ab1..0febf60e1b64 100644
--- a/tools/bpf/bpftool/Makefile
+++ b/tools/bpf/bpftool/Makefile
@@ -97,6 +97,15 @@ RM ?= rm -f
 
 FEATURE_USER = .bpftool
 
+# Skip optional dependencies: LLVM (JIT disasm), libbfd (fallback
+# disasm), libcrypto (program signing).
+SKIP_LLVM ?=
+SKIP_LIBBFD ?=
+SKIP_CRYPTO ?=
+ifneq ($(SKIP_CRYPTO),1)
+  CRYPTO_LIBS := -lcrypto
+endif
+
 FEATURE_TESTS := clang-bpf-co-re
 FEATURE_TESTS += llvm
 FEATURE_TESTS += libcap
@@ -130,8 +139,8 @@ include $(FEATURES_DUMP)
 endif
 endif
 
-LIBS = $(LIBBPF) -lelf -lcrypto -lz
-LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf -lcrypto -lz
+LIBS = $(LIBBPF) -lelf $(CRYPTO_LIBS) -lz
+LIBS_BOOTSTRAP = $(LIBBPF_BOOTSTRAP) -lelf $(CRYPTO_LIBS) -lz
 
 ifeq ($(feature-libelf-zstd),1)
 LIBS += -lzstd
@@ -150,7 +159,12 @@ all: $(OUTPUT)bpftool
 SRCS := $(wildcard *.c)
 
 ifeq ($(feature-llvm),1)
-  # If LLVM is available, use it for JIT disassembly
+ifneq ($(SKIP_LLVM),1)
+HAS_LLVM := 1
+endif
+endif
+
+ifeq ($(HAS_LLVM),1)
   CFLAGS  += -DHAVE_LLVM_SUPPORT
   LLVM_CONFIG_LIB_COMPONENTS := mcdisassembler all-targets
   # llvm-config always adds -D_GNU_SOURCE, however, it may already be in CFLAGS
@@ -165,6 +179,7 @@ ifeq ($(feature-llvm),1)
   endif
   LDFLAGS += $(shell $(LLVM_CONFIG) --ldflags)
 else
+  ifneq ($(SKIP_LIBBFD),1)
   # Fall back on libbfd
   ifeq ($(feature-libbfd),1)
     LIBS += -lbfd -ldl -lopcodes
@@ -186,15 +201,22 @@ else
       CFLAGS += -DDISASM_INIT_STYLED
     endif
   endif
+  endif # SKIP_LIBBFD
 endif
 ifeq ($(filter -DHAVE_LLVM_SUPPORT -DHAVE_LIBBFD_SUPPORT,$(CFLAGS)),)
   # No support for JIT disassembly
   SRCS := $(filter-out jit_disasm.c,$(SRCS))
 endif
 
+ifeq ($(SKIP_CRYPTO),1)
+  CFLAGS += -DBPFTOOL_WITHOUT_CRYPTO
+  HOST_CFLAGS += -DBPFTOOL_WITHOUT_CRYPTO
+  SRCS := $(filter-out sign.c,$(SRCS))
+endif
+
 BPFTOOL_BOOTSTRAP := $(BOOTSTRAP_OUTPUT)bpftool
 
-BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o sign.o)
+BOOTSTRAP_OBJS = $(addprefix $(BOOTSTRAP_OUTPUT),main.o common.o json_writer.o gen.o btf.o $(if $(CRYPTO_LIBS),sign.o))
 $(BOOTSTRAP_OBJS): $(LIBBPF_BOOTSTRAP)
 
 OBJS = $(patsubst %.c,$(OUTPUT)%.o,$(SRCS)) $(OUTPUT)disasm.o
diff --git a/tools/bpf/bpftool/main.c b/tools/bpf/bpftool/main.c
index a829a6a49037..c91e1a6e1a1e 100644
--- a/tools/bpf/bpftool/main.c
+++ b/tools/bpf/bpftool/main.c
@@ -131,6 +131,11 @@ static int do_version(int argc, char **argv)
 	const bool has_skeletons = false;
 #else
 	const bool has_skeletons = true;
+#endif
+#ifdef BPFTOOL_WITHOUT_CRYPTO
+	const bool has_crypto = false;
+#else
+	const bool has_crypto = true;
 #endif
 	bool bootstrap = false;
 	int i;
@@ -163,6 +168,7 @@ static int do_version(int argc, char **argv)
 		jsonw_start_object(json_wtr);	/* features */
 		jsonw_bool_field(json_wtr, "libbfd", has_libbfd);
 		jsonw_bool_field(json_wtr, "llvm", has_llvm);
+		jsonw_bool_field(json_wtr, "crypto", has_crypto);
 		jsonw_bool_field(json_wtr, "skeletons", has_skeletons);
 		jsonw_bool_field(json_wtr, "bootstrap", bootstrap);
 		jsonw_end_object(json_wtr);	/* features */
@@ -181,6 +187,7 @@ static int do_version(int argc, char **argv)
 		printf("features:");
 		print_feature("libbfd", has_libbfd, &nb_features);
 		print_feature("llvm", has_llvm, &nb_features);
+		print_feature("crypto", has_crypto, &nb_features);
 		print_feature("skeletons", has_skeletons, &nb_features);
 		print_feature("bootstrap", bootstrap, &nb_features);
 		printf("\n");
diff --git a/tools/bpf/bpftool/main.h b/tools/bpf/bpftool/main.h
index 1130299cede0..78b6e0ebb85d 100644
--- a/tools/bpf/bpftool/main.h
+++ b/tools/bpf/bpftool/main.h
@@ -293,6 +293,20 @@ struct kernel_config_option {
 int read_kernel_config(const struct kernel_config_option *requested_options,
 		       size_t num_options, char **out_values,
 		       const char *define_prefix);
+#ifndef BPFTOOL_WITHOUT_CRYPTO
 int bpftool_prog_sign(struct bpf_load_and_run_opts *opts);
 __u32 register_session_key(const char *key_der_path);
+#else
+static inline int bpftool_prog_sign(struct bpf_load_and_run_opts *opts)
+{
+	p_err("bpftool was built without signing support");
+	return -ENOTSUP;
+}
+
+static inline __u32 register_session_key(const char *key_der_path)
+{
+	p_err("bpftool was built without signing support");
+	return -1;
+}
+#endif
 #endif
diff --git a/tools/testing/selftests/bpf/Makefile b/tools/testing/selftests/bpf/Makefile
index 869b582b1d1f..e27501c06b56 100644
--- a/tools/testing/selftests/bpf/Makefile
+++ b/tools/testing/selftests/bpf/Makefile
@@ -41,6 +41,8 @@ LIBELF_LIBS	:= $(shell $(PKG_CONFIG) libelf --libs 2>/dev/null || echo -lelf)
 
 SKIP_DOCS	?=
 SKIP_LLVM	?=
+SKIP_LIBBFD	?=
+SKIP_CRYPTO	?=
 
 ifeq ($(srctree),)
 srctree := $(patsubst %/,%,$(dir $(CURDIR)))
@@ -333,6 +335,9 @@ $(DEFAULT_BPFTOOL): $(wildcard $(BPFTOOLDIR)/*.[ch] $(BPFTOOLDIR)/Makefile)    \
 		    OUTPUT=$(HOST_BUILD_DIR)/bpftool/			       \
 		    LIBBPF_OUTPUT=$(HOST_BUILD_DIR)/libbpf/		       \
 		    LIBBPF_DESTDIR=$(HOST_SCRATCH_DIR)/			       \
+		    SKIP_LLVM=$(SKIP_LLVM)				       \
+		    SKIP_LIBBFD=$(SKIP_LIBBFD)				       \
+		    SKIP_CRYPTO=$(SKIP_CRYPTO)				       \
 		    prefix= DESTDIR=$(HOST_SCRATCH_DIR)/ install-bin
 
 ifneq ($(CROSS_COMPILE),)
@@ -345,6 +350,9 @@ $(CROSS_BPFTOOL): $(wildcard $(BPFTOOLDIR)/*.[ch] $(BPFTOOLDIR)/Makefile)	\
 		    OUTPUT=$(BUILD_DIR)/bpftool/				\
 		    LIBBPF_OUTPUT=$(BUILD_DIR)/libbpf/				\
 		    LIBBPF_DESTDIR=$(SCRATCH_DIR)/				\
+		    SKIP_LLVM=$(SKIP_LLVM)					\
+		    SKIP_LIBBFD=$(SKIP_LIBBFD)					\
+		    SKIP_CRYPTO=$(SKIP_CRYPTO)					\
 		    prefix= DESTDIR=$(SCRATCH_DIR)/ install-bin
 endif
 

---
base-commit: ca0f39a369c5f927c3d004e63a5a778b08a9df94
change-id: 20260312-b4-bpftool_build-fe7d37d535bd

Best regards,
-- 
Mykyta Yatsenko <yatsenko@meta.com>

Re: [PATCH bpf-next v2] bpftool: Allow explicitly skip llvm, libbfd and libcrypto dependencies

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to bpf/bpf-next.git (master)
by Andrii Nakryiko <andrii@kernel.org>:

On Thu, 12 Mar 2026 17:03:27 -0700 you wrote:
> From: Mykyta Yatsenko <yatsenko@meta.com>
> 
> Introduce SKIP_LLVM, SKIP_LIBBFD, and SKIP_CRYPTO build flags that let
> users build bpftool without these optional dependencies.
> 
> SKIP_LLVM=1 skips LLVM even when detected. SKIP_LIBBFD=1 prevents the
> libbfd JIT disassembly fallback when LLVM is absent. Together, they
> produce a bpftool with no disassembly support.
> 
> [...]

Here is the summary with links:
  - [bpf-next,v2] bpftool: Allow explicitly skip llvm, libbfd and libcrypto dependencies
    https://git.kernel.org/bpf/bpf-next/c/c73a24436698

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Re: [PATCH bpf-next v2] bpftool: Allow explicitly skip llvm, libbfd and libcrypto dependencies

[Quentin Monnet]

2026-03-12 17:03 UTC-0700 ~ Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
> From: Mykyta Yatsenko <yatsenko@meta.com>
> 
> Introduce SKIP_LLVM, SKIP_LIBBFD, and SKIP_CRYPTO build flags that let
> users build bpftool without these optional dependencies.
> 
> SKIP_LLVM=1 skips LLVM even when detected. SKIP_LIBBFD=1 prevents the
> libbfd JIT disassembly fallback when LLVM is absent. Together, they
> produce a bpftool with no disassembly support.
> 
> SKIP_CRYPTO=1 excludes sign.c and removes the -lcrypto link dependency.
> Inline stubs in main.h return errors with a clear message if signing
> functions are called at runtime.
> 
> Use BPFTOOL_WITHOUT_CRYPTO (not HAVE_LIBCRYPTO_SUPPORT) as the C
> define, following the BPFTOOL_WITHOUT_SKELETONS naming convention for
> bpftool-internal build config, leaving HAVE_LIBCRYPTO_SUPPORT free for
> proper feature detection in the future.
> 
> All three flags are propagated through the selftests Makefile to bpftool
> sub-builds.
> 
> Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>


Sorry I'm late for this one, I see Andrii applied it - I just wanted to
say thank you for this!

Quentin

Re: [PATCH bpf-next v2] bpftool: Allow explicitly skip llvm, libbfd and libcrypto dependencies

[Quentin Monnet]

2026-03-17 10:29 UTC+0000 ~ Quentin Monnet <qmo@kernel.org>
> 2026-03-12 17:03 UTC-0700 ~ Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
>> From: Mykyta Yatsenko <yatsenko@meta.com>
>>
>> Introduce SKIP_LLVM, SKIP_LIBBFD, and SKIP_CRYPTO build flags that let
>> users build bpftool without these optional dependencies.
>>
>> SKIP_LLVM=1 skips LLVM even when detected. SKIP_LIBBFD=1 prevents the
>> libbfd JIT disassembly fallback when LLVM is absent. Together, they
>> produce a bpftool with no disassembly support.
>>
>> SKIP_CRYPTO=1 excludes sign.c and removes the -lcrypto link dependency.
>> Inline stubs in main.h return errors with a clear message if signing
>> functions are called at runtime.
>>
>> Use BPFTOOL_WITHOUT_CRYPTO (not HAVE_LIBCRYPTO_SUPPORT) as the C
>> define, following the BPFTOOL_WITHOUT_SKELETONS naming convention for
>> bpftool-internal build config, leaving HAVE_LIBCRYPTO_SUPPORT free for
>> proper feature detection in the future.
>>
>> All three flags are propagated through the selftests Makefile to bpftool
>> sub-builds.
>>
>> Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
> 
> 
> Sorry I'm late for this one, I see Andrii applied it - I just wanted to
> say thank you for this!


Mykyta, Andrii,

Apologies again for missing the review on this series. I'm realising
only now that it goes beyond what we initially discussed: It adds a way
to turn off the optional dependencies related to the disassemblers,
which is what we agreed on, but it also makes libcrypto optional.

There were previous discussions where I pushed back against making
program signing optional in bpftool. It's one thing to have the JIT
disassembler unavailable on a machine; but it's going to be a pain if a
policy requires signed programs on a system, but the bpftool version
available does not support signing. Are you really sure you want to make
it optional? My preference would be to keep program signing a mandatory
feature for bpftool going forward.

Best regards,
Quentin

Re: [PATCH bpf-next v2] bpftool: Allow explicitly skip llvm, libbfd and libcrypto dependencies

[Mykyta Yatsenko]

Quentin Monnet <qmo@kernel.org> writes:

> 2026-03-17 10:29 UTC+0000 ~ Quentin Monnet <qmo@kernel.org>
>> 2026-03-12 17:03 UTC-0700 ~ Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
>>> From: Mykyta Yatsenko <yatsenko@meta.com>
>>>
>>> Introduce SKIP_LLVM, SKIP_LIBBFD, and SKIP_CRYPTO build flags that let
>>> users build bpftool without these optional dependencies.
>>>
>>> SKIP_LLVM=1 skips LLVM even when detected. SKIP_LIBBFD=1 prevents the
>>> libbfd JIT disassembly fallback when LLVM is absent. Together, they
>>> produce a bpftool with no disassembly support.
>>>
>>> SKIP_CRYPTO=1 excludes sign.c and removes the -lcrypto link dependency.
>>> Inline stubs in main.h return errors with a clear message if signing
>>> functions are called at runtime.
>>>
>>> Use BPFTOOL_WITHOUT_CRYPTO (not HAVE_LIBCRYPTO_SUPPORT) as the C
>>> define, following the BPFTOOL_WITHOUT_SKELETONS naming convention for
>>> bpftool-internal build config, leaving HAVE_LIBCRYPTO_SUPPORT free for
>>> proper feature detection in the future.
>>>
>>> All three flags are propagated through the selftests Makefile to bpftool
>>> sub-builds.
>>>
>>> Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
>> 
>> 
>> Sorry I'm late for this one, I see Andrii applied it - I just wanted to
>> say thank you for this!
>
>
> Mykyta, Andrii,
>
> Apologies again for missing the review on this series. I'm realising
> only now that it goes beyond what we initially discussed: It adds a way
> to turn off the optional dependencies related to the disassemblers,
> which is what we agreed on, but it also makes libcrypto optional.
>
> There were previous discussions where I pushed back against making
> program signing optional in bpftool. It's one thing to have the JIT
> disassembler unavailable on a machine; but it's going to be a pain if a
> policy requires signed programs on a system, but the bpftool version
> available does not support signing. Are you really sure you want to make
> it optional? My preference would be to keep program signing a mandatory
> feature for bpftool going forward.
>
> Best regards,
> Quentin

Hi,
Thanks for reaching out! The patch indeed went beyond what we discussed
in v1, because we've ran into a problem, where some users could not
build bpftool, because their openssl was built with no CMS support. It
turns out openssl allows OPENSSL_NO_CMS which disables some functions
that bpftool/sign.c relies on. So to support this usecase, we decided to
increase the scope of this change. I'm not sure, though, how common it
is to find openssl with no CMS in the wild. Let me know what you think
about this.

Regards

Re: [PATCH bpf-next v2] bpftool: Allow explicitly skip llvm, libbfd and libcrypto dependencies

[Andrii Nakryiko]

On Fri, Mar 20, 2026 at 5:50 PM Quentin Monnet <qmo@kernel.org> wrote:
>
> 2026-03-17 10:29 UTC+0000 ~ Quentin Monnet <qmo@kernel.org>
> > 2026-03-12 17:03 UTC-0700 ~ Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
> >> From: Mykyta Yatsenko <yatsenko@meta.com>
> >>
> >> Introduce SKIP_LLVM, SKIP_LIBBFD, and SKIP_CRYPTO build flags that let
> >> users build bpftool without these optional dependencies.
> >>
> >> SKIP_LLVM=1 skips LLVM even when detected. SKIP_LIBBFD=1 prevents the
> >> libbfd JIT disassembly fallback when LLVM is absent. Together, they
> >> produce a bpftool with no disassembly support.
> >>
> >> SKIP_CRYPTO=1 excludes sign.c and removes the -lcrypto link dependency.
> >> Inline stubs in main.h return errors with a clear message if signing
> >> functions are called at runtime.
> >>
> >> Use BPFTOOL_WITHOUT_CRYPTO (not HAVE_LIBCRYPTO_SUPPORT) as the C
> >> define, following the BPFTOOL_WITHOUT_SKELETONS naming convention for
> >> bpftool-internal build config, leaving HAVE_LIBCRYPTO_SUPPORT free for
> >> proper feature detection in the future.
> >>
> >> All three flags are propagated through the selftests Makefile to bpftool
> >> sub-builds.
> >>
> >> Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
> >
> >
> > Sorry I'm late for this one, I see Andrii applied it - I just wanted to
> > say thank you for this!
>
>
> Mykyta, Andrii,
>
> Apologies again for missing the review on this series. I'm realising
> only now that it goes beyond what we initially discussed: It adds a way
> to turn off the optional dependencies related to the disassemblers,
> which is what we agreed on, but it also makes libcrypto optional.
>
> There were previous discussions where I pushed back against making
> program signing optional in bpftool. It's one thing to have the JIT
> disassembler unavailable on a machine; but it's going to be a pain if a
> policy requires signed programs on a system, but the bpftool version
> available does not support signing. Are you really sure you want to make
> it optional? My preference would be to keep program signing a mandatory
> feature for bpftool going forward.

Hey Quentin,

I understand (and sympathize with) your stance that packaged bpftool
in distros should be fully featured, and I think we should push as
hard as necessary to have it be a case if it ever becomes not true.
But the truth is that bpftool is used in all sorts of limited
environments where its full functionality is a) not needed and b)
logistically a nightmare to build, so having Makefile-based opt-outs
for some parts seems like a decent tradeoff to keep bpftool relevant
(instead of forcing people to do some ad-hoc hacks or
reimplementations).

There is nothing stopping packager from doing a custom patch ripping
out crypto parts of bpftool if they really decide to. Only users and
maintainers push back, really. But apart from extreme laziness, why
would upstream packagers cripple bpftool like so?

We should stay vigilant, though, and if you notice some distro cutting
corners, please bring it up on the mailing list and we'll go from
there, ok?

>
> Best regards,
> Quentin

Re: [PATCH bpf-next v2] bpftool: Allow explicitly skip llvm, libbfd and libcrypto dependencies

[Quentin Monnet]

2026-03-23 13:21 UTC-0700 ~ Andrii Nakryiko <andrii.nakryiko@gmail.com>
> On Fri, Mar 20, 2026 at 5:50 PM Quentin Monnet <qmo@kernel.org> wrote:
>>
>> 2026-03-17 10:29 UTC+0000 ~ Quentin Monnet <qmo@kernel.org>
>>> 2026-03-12 17:03 UTC-0700 ~ Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
>>>> From: Mykyta Yatsenko <yatsenko@meta.com>
>>>>
>>>> Introduce SKIP_LLVM, SKIP_LIBBFD, and SKIP_CRYPTO build flags that let
>>>> users build bpftool without these optional dependencies.
>>>>
>>>> SKIP_LLVM=1 skips LLVM even when detected. SKIP_LIBBFD=1 prevents the
>>>> libbfd JIT disassembly fallback when LLVM is absent. Together, they
>>>> produce a bpftool with no disassembly support.
>>>>
>>>> SKIP_CRYPTO=1 excludes sign.c and removes the -lcrypto link dependency.
>>>> Inline stubs in main.h return errors with a clear message if signing
>>>> functions are called at runtime.
>>>>
>>>> Use BPFTOOL_WITHOUT_CRYPTO (not HAVE_LIBCRYPTO_SUPPORT) as the C
>>>> define, following the BPFTOOL_WITHOUT_SKELETONS naming convention for
>>>> bpftool-internal build config, leaving HAVE_LIBCRYPTO_SUPPORT free for
>>>> proper feature detection in the future.
>>>>
>>>> All three flags are propagated through the selftests Makefile to bpftool
>>>> sub-builds.
>>>>
>>>> Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
>>>
>>>
>>> Sorry I'm late for this one, I see Andrii applied it - I just wanted to
>>> say thank you for this!
>>
>>
>> Mykyta, Andrii,
>>
>> Apologies again for missing the review on this series. I'm realising
>> only now that it goes beyond what we initially discussed: It adds a way
>> to turn off the optional dependencies related to the disassemblers,
>> which is what we agreed on, but it also makes libcrypto optional.
>>
>> There were previous discussions where I pushed back against making
>> program signing optional in bpftool. It's one thing to have the JIT
>> disassembler unavailable on a machine; but it's going to be a pain if a
>> policy requires signed programs on a system, but the bpftool version
>> available does not support signing. Are you really sure you want to make
>> it optional? My preference would be to keep program signing a mandatory
>> feature for bpftool going forward.
> 
> Hey Quentin,
> 
> I understand (and sympathize with) your stance that packaged bpftool
> in distros should be fully featured, and I think we should push as
> hard as necessary to have it be a case if it ever becomes not true.
> But the truth is that bpftool is used in all sorts of limited
> environments where its full functionality is a) not needed and b)
> logistically a nightmare to build, so having Makefile-based opt-outs
> for some parts seems like a decent tradeoff to keep bpftool relevant
> (instead of forcing people to do some ad-hoc hacks or
> reimplementations).
> 
> There is nothing stopping packager from doing a custom patch ripping
> out crypto parts of bpftool if they really decide to. Only users and
> maintainers push back, really. But apart from extreme laziness, why
> would upstream packagers cripple bpftool like so?
> 
> We should stay vigilant, though, and if you notice some distro cutting
> corners, please bring it up on the mailing list and we'll go from
> there, ok?


Hmm OK, I still believe making it easy to turn signing off has a higher
chance to lead to the feature being unavailable, but if you actually
have a need to strip out the signing part to build and run bpftool in
production in your case, as Mykyta explains, it's a valid argument.
Let's keep the option for now, then.

Thank you both for your replies!

Quentin