Hi, On Fri, 23 Apr 2021 10:23:33 +0200 Andrej Shadura <andre...@debian.org> wrote: > > ca-certificates devscripts git-buildpackage libconfig-model-dpkg-perl > > liblwp-protocol-https-perl libsoap-lite-perl libwww-perl libxml-parser-perl > > libxml-sax-expat-perl libxmlrpc-lite-perl openssl osc osc-plugin-dput > > osc-plugins-dput python3-certifi python3-requests > > On my normal system, it forces the removal of 358 packages including a > huge number of my development tools, the editor and parts of the desktop > environment. > > Please implement what this requirement was supposed to accomplish in a > different way not requiring removing openssl.
I’ve submitted a merge request fixing this issue: https://salsa.debian.org/tcltk-team/tcltls/-/merge_requests/1 For your convenience, it’s also attached to this message as a patch. -- Cheers, Andrej
>From dd49455561b836d43806296411ae1fa0b8660708 Mon Sep 17 00:00:00 2001 From: Andrej Shadura <andrew.shad...@collabora.co.uk> Date: Fri, 23 Apr 2021 11:14:50 +0200 Subject: [PATCH] Remove build-conflicts on openssl, but explicitly use the fallback MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Conflicting with openssl causes too much trouble, since it also transitively conflicts with devscripts and ca-certificates. Also, if curl or wget happen to be installed, dh params will be downloaded from a remote host, which may be dangerous if it’s taken over by a hostile entity. Instead, remove the build-conflicts and comment out the generation and the download. Closes: #987397 Signed-off-by: Andrej Shadura <andrew.shad...@collabora.co.uk> --- debian/control | 1 - debian/patches/series | 1 + debian/patches/use-predefined-dh-params.patch | 48 +++++++++++++++++++ 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 debian/patches/use-predefined-dh-params.patch diff --git a/debian/control b/debian/control index cacdd14..3ca210a 100644 --- a/debian/control +++ b/debian/control @@ -4,7 +4,6 @@ Priority: optional Maintainer: Debian Tcl/Tk Packagers <pkg-tcltk-de...@lists.alioth.debian.org> Uploaders: Muammar El Khatib <muam...@debian.org>, Sergei Golovan <sgolo...@debian.org> Build-Depends: debhelper (>= 10), libssl-dev, tcl-dev (>= 8.5), chrpath -Build-Conflicts: openssl Standards-Version: 4.5.0 Homepage: https://core.tcl.tk/tcltls Vcs-Browser: https://salsa.debian.org/tcltk-team/tcltls diff --git a/debian/patches/series b/debian/patches/series index c623976..a300498 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,4 @@ hostname-tests.patch cipher-tests.patch certs-tests.patch fall-through.patch +use-predefined-dh-params.patch diff --git a/debian/patches/use-predefined-dh-params.patch b/debian/patches/use-predefined-dh-params.patch new file mode 100644 index 0000000..735f2bc --- /dev/null +++ b/debian/patches/use-predefined-dh-params.patch @@ -0,0 +1,48 @@ +From: Andrej Shadura <andrew.shad...@collabora.co.uk> +Date: Fri, 23 Apr 2021 11:11:31 +0200 +Subject: Make sure predefined primes are used instead of generating/downloading them + +Conflicting with openssl causes too much trouble, since it also +transitively conflicts with devscripts and ca-certificates. Also, +if curl or wget happen to be installed, dh params will be downloaded +from a remote host, which may be dangerous if it’s taken over by a +hostile entity. + +Instead, remove the build-conflicts and comment out the generation and +the download. + +Signed-off-by: Andrej Shadura <andrew.shad...@collabora.co.uk> + +Bug-Debian: https://bugs.debian.org/987397 +--- + debian/control | 1 - + gen_dh_params | 4 ++-- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/debian/control b/debian/control +index cacdd14..3ca210a 100644 +--- a/debian/control ++++ b/debian/control +@@ -4,7 +4,6 @@ Priority: optional + Maintainer: Debian Tcl/Tk Packagers <pkg-tcltk-de...@lists.alioth.debian.org> + Uploaders: Muammar El Khatib <muam...@debian.org>, Sergei Golovan <sgolo...@debian.org> + Build-Depends: debhelper (>= 10), libssl-dev, tcl-dev (>= 8.5), chrpath +-Build-Conflicts: openssl + Standards-Version: 4.5.0 + Homepage: https://core.tcl.tk/tcltls + Vcs-Browser: https://salsa.debian.org/tcltk-team/tcltls +diff --git a/gen_dh_params b/gen_dh_params +index a423e62..952e443 100755 +--- a/gen_dh_params ++++ b/gen_dh_params +@@ -271,8 +271,8 @@ echo "*****************************" >&2 + echo "** Generating DH Primes. **" >&2 + echo "** This will take a while. **" >&2 + echo "*****************************" >&2 +-gen_dh_params_openssl && exit 0 +-gen_dh_params_remote && exit 0 ++#gen_dh_params_openssl && exit 0 ++#gen_dh_params_remote && exit 0 + gen_dh_params_fallback && exit 0 + + echo "Unable to generate parameters for DH of ${bits} bits" >&2 -- 2.30.2
