1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL

  • Should OpenSSL/ libssl3 depend on brotli?

    From Sebastian Andrzej Siewior@21:1/5 to All on Sat Sep 7 00:20:01 2024
    Hi,

    Is it okay for libssl3 do depend on libbrotli? It would increase minimal installs by ~900KiB on amd64.
    tl;dr

    coreutils build-depends on libssl-dev which makes libssl essential.
    libssl already supports compression via libz and zstd. Both libraries
    are already pulled in by dpkg so letting libssl depend on them did not
    change much.
    Compression in libssl allows to enable compression in a TLS <=v1.2
    connection (TLSv1.3 does not allow it) if the client and server
    explicitly ask for it (it is off by default).

    More importantly it allows also "TLS Certificate Compression". The
    standard specifies here zlib, brotli and zstd. Firefox seems to support
    all three of them (it appears to be disabled by default in 130 but can
    be flipped on).
    Chromium seems to support only brotli. They support content-encoding
    with zstd so someone might be able to talk them into using it also for certificate compression.

    So is it worth to enable brotli support in openssl for certificate
    compression sake?

    Sebastian

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Guillem Jover@21:1/5 to Sebastian Andrzej Siewior on Sat Sep 7 01:30:01 2024
    Hi!

    On Sat, 2024-09-07 at 00:12:58 +0200, Sebastian Andrzej Siewior wrote:
    Is it okay for libssl3 do depend on libbrotli? It would increase minimal installs by ~900KiB on amd64.
    tl;dr

    coreutils build-depends on libssl-dev which makes libssl essential.
    libssl already supports compression via libz and zstd. Both libraries
    are already pulled in by dpkg so letting libssl depend on them did not
    change much.

    Perhaps an alternative option would be to switch coreutils to use
    libmd instead of libcrypto? It seems to contain all the needed algos
    that are currently used by coreutils, and it is already part of the pseudo-essential set via dpkg and passwd via libbsd. This would reduce
    the pseudo-essential set size, and also free you from this constraint
    when deciding whether to include brotli (or future new dependencies).

    Thanks,
    Guillem

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sebastian Andrzej Siewior@21:1/5 to Guillem Jover on Sat Sep 7 11:50:01 2024
    On 2024-09-07 01:25:29 [+0200], Guillem Jover wrote:
    Hi!
    Hi Guillem,

    Perhaps an alternative option would be to switch coreutils to use
    libmd instead of libcrypto? It seems to contain all the needed algos
    that are currently used by coreutils, and it is already part of the pseudo-essential set via dpkg and passwd via libbsd. This would reduce
    the pseudo-essential set size, and also free you from this constraint
    when deciding whether to include brotli (or future new dependencies).

    What is the benefit of reducing the pseudo-essential size? I have
    libssl installed on all of my systems since it is pulled in at least by openssh.

    The benefit of using openssl for crypto is that the algorithm are highly optimized for a wide set of architectures. This is a benefit. Especially
    for tools like sha1sum where you could iterate over large files. Also on
    modern CPUs sha1 outperforms md5 ;)

    Thanks,
    Guillem

    Sebastian

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Simon McVittie@21:1/5 to Sebastian Andrzej Siewior on Sat Sep 7 12:20:01 2024
    On Sat, 07 Sep 2024 at 11:41:34 +0200, Sebastian Andrzej Siewior wrote:
    What is the benefit of reducing the pseudo-essential size? I have
    libssl installed on all of my systems since it is pulled in at least by openssh.

    chroots/containers, mainly. I'm sure you have openssh installed on all
    your bootable full systems, the same way you have other system-level
    components (fsck, init, login, mount, kernel, initramfs-tools, bootloader)
    on all your bootable full systems; but that doesn't mean it's desirable
    to have all of those installed in every chroot/container.

    smcv

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Helmut Grohne@21:1/5 to Sebastian Andrzej Siewior on Mon Sep 9 16:00:01 2024
    Hi Sebastian,

    On Sat, Sep 07, 2024 at 12:12:58AM +0200, Sebastian Andrzej Siewior wrote:
    Is it okay for libssl3 do depend on libbrotli? It would increase minimal installs by ~900KiB on amd64.

    Thanks for reaching out. From a purely architecture bootstrap centric
    view, I approve your request. brotli has few dependencies and needs to
    be built during architecture bootstrap already for curl and freetype. It
    can be built before openssl at no extra effort.

    I make no claims about other aspects of the proposed change.

    Helmut

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)