> On 27 Sep 2021, at 23:50, Robin H. Johnson wrote: > > Deadline for responses: 2021/10/14! > > The Foundation would like to propose that RedHat/Fedora "hobble" patch > presently applied when USE=bindist is true shall be removed from > dev-libs/openssl. > > RedHat's stated reasons for the patch were originally to avoid any patent > concerns, but they have also morphed over time to present some "insecure" > things from being used entirely: > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening > "All ECC curves < 224 bits (since RHEL 6)" > "All binary field ECC curves (since RHEL 6)" > > However, the Foundation would also like to be sure that no users feel that > patchset provides something critical to their usage of Gentoo. > > If nobody speaks up as saying that the "hobble" patch is REQUIRED for their use > cases, the Foundation proposes that usage of the patchset be dropped from the > main tree. > > Any users who might be concerned about patent compliance are encouraged to do > their own due diligence, as OpenSSL was the only Gentoo package that shipped > this type of patch, and even Fedora's upstream did not completely patch out EC > in other packages. > > [snip] Thanks for this. You've ended up addressing the comments & concerns I raised the other day on the (slightly derailed) other thread [0]. There's a PR on this on GitHub too [1] to handle the removal. As I suspect was already clear, I support this move in the absence of new information (which I suspect will not be forthcoming). [0] https://archives.gentoo.org/gentoo-dev/message/99551035af66db79f60c6bd8ef7138a8 [1] https://github.com/gentoo/gentoo/pull/18894 best, sam