Re: Will Packaging BoringSSL Bring Any Trouble to the Security Team?

To: Elmar Stellnberger <estellnb@gmail.com>
Cc: Moritz Mühlenhoff <jmm@inutil.org>, debian-security@lists.debian.org
Subject: Re: Will Packaging BoringSSL Bring Any Trouble to the Security Team?
From: 殷啟聰 <seamlikok@gmail.com>
Date: Tue, 17 May 2016 16:02:37 +0800
Message-id: <[🔎] CAKxyyfYXQn+NtefiusHOu+eB_FvhECjm7cj+6aPc6kAy8kN2sA@mail.gmail.com>
In-reply-to: <[🔎] 09f531cf-9a33-3a0f-6623-a7918df146a8@gmail.com>
References: <[🔎] CAKxyyfY1a68Jv=H1qwhGQtLSu2juwGuXa+XTRy_15SHbS4_jZQ@mail.gmail.com> <[🔎] slrnnjattk.jm1.jmm@inutil.org> <[🔎] 09f531cf-9a33-3a0f-6623-a7918df146a8@gmail.com>

Hi all,

Sorry for posting to a general channel. I didn't know that :(

BoringSSL is also free software, as long as there are maintainers who
are willing to spend time on it, I think it has rights to exist in
Debian. Well I have been contributing to Debian for not long, so
please point me out my mistakes. :)

I understand that the security team do not want to support it, but
what if you don't have to? This package places BoringSSL in a private
directory which is isolated to other libraries, and only Android SDK
is using the libraries. Hence all the other packages will continue to
use OpenSSL and will not be affected by BoringSSL.

Actually we have already packaged Google's forks of libselinux
<https://packages.debian.org/source/sid/android-platform-external-libselinux>
and libunwind <https://packages.debian.org/source/sid/android-platform-external-libunwind>.
They are isolated from other libraries and won't affect other
packages.

Regards,
Kai-Chung Yan

2016-05-14 4:31 GMT+08:00 Elmar Stellnberger <estellnb@gmail.com>:
>   Just wanted to tell that I am quite happy not to have boringSSL in Debian
> - main. I think it is depeerable there apart from the security risk of
> adopting the SSL package from a company which was largely funded by
> intelligence services and the Pentagon. I would rather like to see OpenBSD`s
> libressl as an option for Debian. I believe the OpenBSD programmers have
> done a pretty good job at it!
>
> Elmar
>
>
> Am 2016-05-13 um 08:44 schrieb Moritz Mühlenhoff:
>>
>> 殷啟聰 <seamlikok@gmail.com> schrieb:
>>>
>>> Dear Debian Security Team,
>>
>>
>> Our contact address is team@security.debian.org, not debian-security...
>>
>>> The "android-tools" packaging team
>>>
>>> <https://qa.debian.org/developer.php?login=android-tools-devel%40lists.alioth.debian.org>
>>> are introducing BoringSSL, a fork of OpenSSL by Google. The latest
>>> Android OS and its SDK no longer use OpenSSL and they use some APIs
>>> only provided by BoringSSL, hence we are bringing BoringSSL to Debian.
>>> You can see the ITP at <https://bugs.debian.org/823933>.
>>
>>
>> No, that's not acceptable. You can try to provide that additional APIs
>> on top of OpenSSL, but we're not going to support an entire OpenSSL
>> fork just for Google's NIH syndrome.
>>
>> Cheers,
>>         Moritz
>>
>



-- 
/*
* 殷啟聰 | Kai-Chung Yan
* 一生只向真理與妻子低頭
* Undergraduate student in National Taichung University of Education
* LinkedIn: <https://linkedin.com/in/seamlik>
* Blog: <http://seamlik.logdown.com>
*/

Reply to:

Follow-Ups:
- Will Packaging BoringSSL Bring Any Good to Debian
  - From: Geert Stappers <stappers@debian.org>
- Re: Will Packaging BoringSSL Bring Any Trouble to the Security Team?
  - From: Michael Stone <mstone@debian.org>

References:
- Will Packaging BoringSSL Bring Any Trouble to the Security Team?
  - From: 殷啟聰 <seamlikok@gmail.com>
- Re: Will Packaging BoringSSL Bring Any Trouble to the Security Team?
  - From: Moritz Mühlenhoff <jmm@inutil.org>
- Re: Will Packaging BoringSSL Bring Any Trouble to the Security Team?
  - From: Elmar Stellnberger <estellnb@gmail.com>

Prev by Date: Re: [SECURITY] [DSA 3576-1] icedove security update
Next by Date: Will Packaging BoringSSL Bring Any Good to Debian
Previous by thread: Re: Will Packaging BoringSSL Bring Any Trouble to the Security Team?
Next by thread: Will Packaging BoringSSL Bring Any Good to Debian
Index(es):
- Date
- Thread