[gentoo-dev] [PATCH] use.desc: Correct/clarify SSL/TLS-related flags

[gentoo-dev] [PATCH] use.desc: Correct/clarify SSL/TLS-related flags

[Michał Górny]

Correct the description of SSL/TLS-related flags to match their modern
use. USE=ssl is a feature flag that enables support for SSL/TLS,
while USE=gnutls and USE=libressl are implementation toggling flags.

Unify the descriptions a bit. Make sure to mention both SSL and TLS
to avoid confusion. Inform about the necessity of enabling USE=ssl
in both implementation flags, and replace 'might' with 'if present'.
---
 profiles/use.desc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/profiles/use.desc b/profiles/use.desc
index 43423a017a5f..4ac5d5ad6136 100644
--- a/profiles/use.desc
+++ b/profiles/use.desc
@@ -119,7 +119,7 @@ gmp - Add support for dev-libs/gmp (GNU MP library)
 gnome - Add GNOME support
 gnome-keyring - Enable support for storing passwords via gnome-keyring
 gnuplot - Enable support for gnuplot (data and function plotting)
-gnutls - Add support for net-libs/gnutls (TLS 1.0 and SSL 3.0 support)
+gnutls - Prefer net-libs/gnutls as SSL/TLS provider (requires USE=ssl if present)
 gphoto2 - Add digital camera support
 gpm - Add support for sys-libs/gpm (Console-based mouse driver)
 gps - Add support for Global Positioning System
@@ -179,7 +179,7 @@ libcaca - Add support for colored ASCII-art graphics
 libedit - Use the libedit library (replacement for readline)
 libffi - Enable support for Foreign Function Interface library
 libnotify - Enable desktop notification support
-libressl - Use dev-libs/libressl as SSL provider (might need ssl USE flag), packages should not depend on this USE flag
+libressl - Use dev-libs/libressl instead of dev-libs/openssl as SSL/TLS provider (requires USE=ssl if present), packages should not depend on this USE flag
 libsamplerate - Build with support for converting sample rates using libsamplerate
 libwww - Add libwww support (General purpose WEB API)
 lirc - Add support for lirc (Linux's Infra-Red Remote Control)
@@ -319,7 +319,7 @@ sox - Add support for Sound eXchange (SoX)
 speex - Add support for the speex audio codec (used for speech)
 spell - Add dictionary support
 sqlite - Add support for sqlite - embedded sql database
-ssl - Add support for Secure Socket Layer connections
+ssl - Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security)
 startup-notification - Enable application startup event feedback mechanism
 static - !!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically
 static-libs - Build static versions of dynamic libraries as well
-- 
2.16.1

Re: [gentoo-dev] [PATCH] use.desc: Correct/clarify SSL/TLS-related flags

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 648 bytes --]

On 01/30/2018 11:11 PM, Michał Górny wrote:
> Correct the description of SSL/TLS-related flags to match their modern
> use. USE=ssl is a feature flag that enables support for SSL/TLS,
> while USE=gnutls and USE=libressl are implementation toggling flags.
> 
> Unify the descriptions a bit. Make sure to mention both SSL and TLS
> to avoid confusion. Inform about the necessity of enabling USE=ssl
> in both implementation flags, and replace 'might' with 'if present'.
> 
+1 / Reviewed-By

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-dev] [PATCH] use.desc: Correct/clarify SSL/TLS-related flags

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 2984 bytes --]

>>>>> On Tue, 30 Jan 2018, Michał Górny wrote:

> Correct the description of SSL/TLS-related flags to match their modern
> use. USE=ssl is a feature flag that enables support for SSL/TLS,
> while USE=gnutls and USE=libressl are implementation toggling flags.

> Unify the descriptions a bit. Make sure to mention both SSL and TLS
> to avoid confusion. Inform about the necessity of enabling USE=ssl
> in both implementation flags, and replace 'might' with 'if present'.
> ---
>  profiles/use.desc | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)

> diff --git a/profiles/use.desc b/profiles/use.desc
> index 43423a017a5f..4ac5d5ad6136 100644
> --- a/profiles/use.desc
> +++ b/profiles/use.desc
> @@ -119,7 +119,7 @@ gmp - Add support for dev-libs/gmp (GNU MP library)
>  gnome - Add GNOME support
>  gnome-keyring - Enable support for storing passwords via gnome-keyring
>  gnuplot - Enable support for gnuplot (data and function plotting)
> -gnutls - Add support for net-libs/gnutls (TLS 1.0 and SSL 3.0 support)
> +gnutls - Prefer net-libs/gnutls as SSL/TLS provider (requires USE=ssl if present)

NACK. This seems to imply that USE="-ssl gnutls" is not a valid
configuration? What if the user prefers gnutls and therefore has
globally enabled the gnutls flag, but -ssl for a single package?

How about "(needs USE=ssl to take effect)" instead?

>  gphoto2 - Add digital camera support
>  gpm - Add support for sys-libs/gpm (Console-based mouse driver)
>  gps - Add support for Global Positioning System
> @@ -179,7 +179,7 @@ libcaca - Add support for colored ASCII-art graphics
>  libedit - Use the libedit library (replacement for readline)
>  libffi - Enable support for Foreign Function Interface library
>  libnotify - Enable desktop notification support
> -libressl - Use dev-libs/libressl as SSL provider (might need ssl USE flag), packages should not depend on this USE flag
> +libressl - Use dev-libs/libressl instead of dev-libs/openssl as SSL/TLS provider (requires USE=ssl if present), packages should not depend on this USE flag

Same here.

>  libsamplerate - Build with support for converting sample rates using libsamplerate
>  libwww - Add libwww support (General purpose WEB API)
>  lirc - Add support for lirc (Linux's Infra-Red Remote Control)
> @@ -319,7 +319,7 @@ sox - Add support for Sound eXchange (SoX)
>  speex - Add support for the speex audio codec (used for speech)
>  spell - Add dictionary support
>  sqlite - Add support for sqlite - embedded sql database
> -ssl - Add support for Secure Socket Layer connections
> +ssl - Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security)
>  startup-notification - Enable application startup event feedback mechanism
>  static - !!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically
>  static-libs - Build static versions of dynamic libraries as well
> -- 
> 2.16.1

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-dev] [PATCH] use.desc: Correct/clarify SSL/TLS-related flags

[Kristian Fiskerstrand]

[-- Attachment #1.1: Type: text/plain, Size: 1468 bytes --]

On 01/31/2018 12:22 AM, Ulrich Mueller wrote:
>>  gnome-keyring - Enable support for storing passwords via gnome-keyring
>>  gnuplot - Enable support for gnuplot (data and function plotting)
>> -gnutls - Add support for net-libs/gnutls (TLS 1.0 and SSL 3.0 support)
>> +gnutls - Prefer net-libs/gnutls as SSL/TLS provider (requires USE=ssl if present)
> NACK. This seems to imply that USE="-ssl gnutls" is not a valid
> configuration? What if the user prefers gnutls and therefore has
> globally enabled the gnutls flag, but -ssl for a single package?
> 
> How about "(needs USE=ssl to take effect)" instead?
> 

as I understand it ssl is intended as a generic use flag, of which
gnutls can be one of the providers. In the case of of app-crypt/gnupg
there are only two possible providers, gnutls, and ntbtls, of which only
one is available in tree, so gnutls is the only one, so the only one
relevant for Gentoo is gnutls, hence no use flag for it, either TLS is
enabled, or it is not.

in this scenario I don't see why "ssl -gnutls" would not be a valid
configuration as long as ssl is a generic use flag as it is presented to
be. It doesn't mean never install gnutls, but just not preferring it in
cases where there are other providers of ssl/tls, that the global
description already indicate.

-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-dev] [PATCH] use.desc: Correct/clarify SSL/TLS-related flags

[Gordon Pettey]

On Tue, Jan 30, 2018 at 5:22 PM, Ulrich Mueller <ulm@gentoo.org> wrote:
>>>>>> On Tue, 30 Jan 2018, Michał Górny wrote:
> NACK. This seems to imply that USE="-ssl gnutls" is not a valid
> configuration? What if the user prefers gnutls and therefore has
> globally enabled the gnutls flag, but -ssl for a single package?

Because having gnutls enabled and ssl disabled, if a package has both
flags, is nonsense? What is "I want gnutls but I don't want support
for SSL/TLS" supposed to do?

Re: [gentoo-dev] [PATCH] use.desc: Correct/clarify SSL/TLS-related flags

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 747 bytes --]

>>>>> On Tue, 30 Jan 2018, Gordon Pettey wrote:

> On Tue, Jan 30, 2018 at 5:22 PM, Ulrich Mueller <ulm@gentoo.org> wrote:
>> NACK. This seems to imply that USE="-ssl gnutls" is not a valid
>> configuration? What if the user prefers gnutls and therefore has
>> globally enabled the gnutls flag, but -ssl for a single package?

> Because having gnutls enabled and ssl disabled, if a package has
> both flags, is nonsense? What is "I want gnutls but I don't want
> support for SSL/TLS" supposed to do?

The gnutls flag doesn't have the meaning "I want gnutls". It has
the meaning "I prefer net-libs/gnutls as SSL/TLS provider". So with
USE="-ssl" the gnutls flag is a no-op, and neither the ebuild nor
the user should have to care about it.

Ulrich

[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-dev] [PATCH] use.desc: Correct/clarify SSL/TLS-related flags

[nado]

January 31, 2018 10:53 AM, "Ulrich Mueller" <ulm@gentoo.org> wrote:
> The gnutls flag doesn't have the meaning "I want gnutls". It has
> the meaning "I prefer net-libs/gnutls as SSL/TLS provider". So with
> USE="-ssl" the gnutls flag is a no-op, and neither the ebuild nor
> the user should have to care about it.
> 
> Ulrich

I agree, it is bothersome to have to add extra negative use flags when it could be ignored.

--
Corentin “Nado” Pazdera

[gentoo-dev] [PATCH v2] use.desc: Correct/clarify SSL/TLS-related flags

[Michał Górny]

Correct the description of SSL/TLS-related flags to match their modern
use. USE=ssl is a feature flag that enables support for SSL/TLS,
while USE=gnutls and USE=libressl are implementation toggling flags.

Unify the descriptions a bit. Make sure to mention both SSL and TLS
to avoid confusion. Inform about the necessity of enabling USE=ssl
in both implementation flags, and replace 'might' with 'if present'.
---
 profiles/use.desc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

[v2: improve ssl flag relevance based on suggestion from Ulrich,
 but I've tried to keep it shorter]

diff --git a/profiles/use.desc b/profiles/use.desc
index 43423a017a5f..5cdf9808d2b6 100644
--- a/profiles/use.desc
+++ b/profiles/use.desc
@@ -119,7 +119,7 @@ gmp - Add support for dev-libs/gmp (GNU MP library)
 gnome - Add GNOME support
 gnome-keyring - Enable support for storing passwords via gnome-keyring
 gnuplot - Enable support for gnuplot (data and function plotting)
-gnutls - Add support for net-libs/gnutls (TLS 1.0 and SSL 3.0 support)
+gnutls - Prefer net-libs/gnutls as SSL/TLS provider (ineffective with USE=-ssl)
 gphoto2 - Add digital camera support
 gpm - Add support for sys-libs/gpm (Console-based mouse driver)
 gps - Add support for Global Positioning System
@@ -179,7 +179,7 @@ libcaca - Add support for colored ASCII-art graphics
 libedit - Use the libedit library (replacement for readline)
 libffi - Enable support for Foreign Function Interface library
 libnotify - Enable desktop notification support
-libressl - Use dev-libs/libressl as SSL provider (might need ssl USE flag), packages should not depend on this USE flag
+libressl - Use dev-libs/libressl instead of dev-libs/openssl as SSL/TLS provider (ineffective with USE=-ssl), packages should not depend on this USE flag
 libsamplerate - Build with support for converting sample rates using libsamplerate
 libwww - Add libwww support (General purpose WEB API)
 lirc - Add support for lirc (Linux's Infra-Red Remote Control)
@@ -319,7 +319,7 @@ sox - Add support for Sound eXchange (SoX)
 speex - Add support for the speex audio codec (used for speech)
 spell - Add dictionary support
 sqlite - Add support for sqlite - embedded sql database
-ssl - Add support for Secure Socket Layer connections
+ssl - Add support for SSL/TLS connections (Secure Socket Layer / Transport Layer Security)
 startup-notification - Enable application startup event feedback mechanism
 static - !!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically
 static-libs - Build static versions of dynamic libraries as well
-- 
2.16.1