Re: openssl-vulnkey and python

To: debian-embedded@lists.debian.org
Subject: Re: openssl-vulnkey and python
From: David Goodenough <david.goodenough@btconnect.com>
Date: Thu, 27 Aug 2009 12:56:33 +0100
Message-id: <200908271256.34020.david.goodenough@btconnect.com>
In-reply-to: <20090827065822.GA25019@audi.shelbyville.oz>
References: <200908261615.32691.david.goodenough@btconnect.com> <20090827073904.be85d2b6.codehelp@debian.org> <20090827065822.GA25019@audi.shelbyville.oz>

On Thursday 27 August 2009, Ron wrote:
> On Thu, Aug 27, 2009 at 07:39:04AM +0100, Neil Williams wrote:
> > On Thu, 27 Aug 2009 15:46:51 +0930
> >
> > Ron <ron@debian.org> wrote:
> > > On Thu, Aug 27, 2009 at 07:09:04AM +0100, Neil Williams wrote:
> > > > On Thu, 27 Aug 2009 15:12:20 +0930
> > > >
> > > > Ron <ron@debian.org> wrote:
> > > > > On Wed, Aug 26, 2009 at 08:16:18PM +0100, David Goodenough wrote:
> > > > > > Actually it is openssl-blacklist that contains openssl-vulnkey,
> > > > > > and in sid openssl depends on that.  And as openssl-vulnkey is
> > > > > > written in python it is rather needed.
> >
> > If openssl did depend on the blacklist that would be a Policy violation
> > as it would make a circular dependency - the blacklist depends on
> > openssl, not vice versa.
> >
> > Is something else bringing in the blacklist?
>
> Looks like ssl-cert and openvpn are the prime candidates for dragging
> that in as a hard dep.  A bunch of other packages depend on ssl-cert.
>
> > OK, misread that but openssl itself doesn't depend on the blacklist, do
> > you really need the SSL blacklist itself on an embedded device?
>
> Depends on the device I guess.  Mostly I've just noticed that python
> is getting near impossible to get rid of on any $real system, and the
> reasons for that are mostly quite spurious like this one.

Maybe what is needed is a package which pretends to be openssl-blacklist
but actually does nothing.  If it is installed first it would prevent the real
one being pulled in.  Would a simple Provides: be sufficient?  If the key is
generated on another machine then it can be checked there, and the
real blacklist is only needed on the machine where is it generated or on
client machines that access it.

I use openssl-server on all my boxes.  I found dropbear had problems 
although for the life of me I can not remember what they were, and so I 
went back to openssl-server and never tried dropbear again.  I think that
the problem was interoperability, I already had openssl-server in the 
field and could not persuade dropbear to act in the same way with the
same keys - but my memory may be playing tricks on me.

David

Reply to:

Follow-Ups:
- Re: openssl-vulnkey and python
  - From: Wookey <wookey@wookware.org>

References:
- openssl-vulnkey and python
  - From: David Goodenough <david.goodenough@btconnect.com>
- Re: openssl-vulnkey and python
  - From: Neil Williams <codehelp@debian.org>
- Re: openssl-vulnkey and python
  - From: Ron <ron@debian.org>

Prev by Date: Re: openssl-vulnkey and python
Next by Date: Re: openssl-vulnkey and python
Previous by thread: Re: openssl-vulnkey and python
Next by thread: Re: openssl-vulnkey and python
Index(es):
- Date
- Thread