OpenSSL and Perl

keenerd · 2009-05-31 21:58:11

I've been working on Xyne's feature requests for Pacgraph. He thought it would be cool if there were some way to quickly explore the dependencies of stuff and how packages fit together.

Here's an interesting relationship: OpenSSL and Perl. If you chase OpenSSL's deps all the way down to glibc, you'll find it needs 135Mb. The single biggest dep is Perl, at 38Mb. I would hope Perl is important to its function.

Searching the net found a Gentoo bug report about this. It was closed as CantFix because "the stupid build system uses perl". As a binary distro, it sounds like Perl should be a makedep. (Assuming the build system is unchanged. The bug report was from 5 years ago.)

Searching "pacman -Ql openssl" reveals exactly one Perl script: /etc/ssl/misc/CA.pl and it's associated manpage. Also present is a shell script (/etc/ssl/misc/CA.sh) which does the same thing (but does not have a manpage).

Is there any reason to have a Perl dependency for just this one duplicated script? Am I missing something? I know tweaks to OpenSSL should not be taken lightly, we would not want to end up like Debian.

karol · 2009-05-31 23:33:12

I know tweaks to OpenSSL should not be taken lightly, we would not want to end up like Debian.

Uh, I don't know that story - what happened?

Does CA.pl have to do sth w/ CA-certificates?
I think automake uses perl.

Last edited by karol (2009-05-31 23:34:29)

keenerd · 2009-06-01 01:28:39

They removed a portion of the PRNG to make it debugger friendly. This broke the keygen for Debian/Ubuntu/friends. Here is a more detailed summary of the Debian mess: http://www.links.org/?p=328

From CA.pl's manpage:

The CA.pl script is a perl script that supplies the relevant command line arguments to the openssl command for some common certificate operations. It is intended to simplify the process of certificate creation and management by the use of some simple options.

Personally, I've never used it for creating certs. I've never seen it referenced in any SSL tutorial or guide. Beyond the man page, it is mentioned once on OpenSSL's site.

http://rt.openssl.org/Ticket/Display.ht … pass=guest

The dev's say the Perl script is only there for systems lacking Bash, mainly just Windows. Do we need this dependency just for Window's sake?

Last edited by keenerd (2009-06-01 01:36:06)

Xyne · 2009-06-01 01:34:48

karol wrote:

I know tweaks to OpenSSL should not be taken lightly, we would not want to end up like Debian.

http://research.swtch.com/2008/05/lesso … iasco.html

Summary: the Debian OpenSSL maintainer commented out some code to silence some harmless warning messages and thus crippled the pseudo-random generator. Among other consequences, it reduced the number of different SSH keys that the could be generated to 32,767. It seems this wasn't detected for nearly 2 years.

Moral of the story: don't tweak code in security packages unless you really know what you're doing.

As for the original question in this thread: I have no idea if Perl could be relegated to a makedep or optdep.

Last edited by Xyne (2009-06-01 01:35:51)

djgera · 2009-06-01 02:08:31

hehe this was a question that would make to the mailing list...

perl is used only in openssl for the script /usr/bin/c_rehash
This script is not used in the scriptlet by openssl, is used for example by ca-certificates package.

Then my question is, perl is only a optdepends in openssl, but a depends in ca-certificates, and others package that use /usr/bin/c_rehash ?

Is interesting when making a chroot, and don't need perl but need openssl for example

Last edited by djgera (2009-06-01 02:09:39)

Allan · 2009-06-01 03:52:59

I'd say go ahead and file a bug report asking for perl to be moved to optdeps for openssl and added as a dep to ca_certificates.

keenerd · 2009-06-01 04:53:39

Ah, I forgot about that one. Thanks. Those are the only two that come up in

cat /var/lib/pacman/local/openssl-0.9.8k-2/files | xargs file | grep perl

Bug posted: http://bugs.archlinux.org/task/14903

I was considering brushing off my Perl and translating c_rehash to a shell script (it is just two-ish pages and makes symlinks), but it seems someone has already done that:
http://mail-index.netbsd.org/tech-crypt … /0000.html

Also seems this exact script is used in an NSLU2 distro to avoid a Perl dep.

Now I am trying to figure out why this script never made it into mainline.

Last edited by keenerd (2009-06-01 05:06:03)

Spider.007 · 2014-01-11 15:57:34

I was about to open the exact same issue on the bugtracker; it really is too bad this was never changed. Would it really be that bad to replace the perl script with the posix-shell variant, as other distros have been doing?

It seems openssl doesn't really care either

Xyne · 2014-01-12 16:40:18

@Spider.007
Post a request to re-open the ticket and repost your comment there. This thread is dead and bumping it is against our policy.

Closing.

p.s. Your link leads to a login screen.

Arch Linux

#1 2009-05-31 21:58:11

OpenSSL and Perl

#2 2009-05-31 23:33:12

Re: OpenSSL and Perl

#3 2009-06-01 01:28:39

Re: OpenSSL and Perl

#4 2009-06-01 01:34:48

Re: OpenSSL and Perl

#5 2009-06-01 02:08:31

Re: OpenSSL and Perl

#6 2009-06-01 03:52:59

Re: OpenSSL and Perl

#7 2009-06-01 04:53:39

Re: OpenSSL and Perl

#8 2014-01-11 15:57:34

Re: OpenSSL and Perl

#9 2014-01-12 16:40:18

Re: OpenSSL and Perl

Board footer