lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 9 Jun 2022 12:04:56 -0700
From:   Linus Torvalds <torvalds@...ux-foundation.org>
To:     Sedat Dilek <sedat.dilek@...il.com>
Cc:     Kees Cook <keescook@...omium.org>, keyrings@...r.kernel.org,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Salvatore Bonaccorso <carnil@...ian.org>,
        David Woodhouse <dwmw2@...radead.org>,
        David Howells <dhowells@...hat.com>,
        Tasmiya Nalatwad <tasmiya@...ux.vnet.ibm.com>,
        James Bottomley <James.Bottomley@...senpartnership.com>
Subject: Re: [Linux v5.17.9] -Wdeprecated-declarations warnings with LLVM-14
 and OpenSSL v3.0.x

On Thu, Jun 9, 2022 at 11:41 AM Sedat Dilek <sedat.dilek@...il.com> wrote:
>
> Why go back and forth... do it like Alexander the Great and the Gordian knot.
>
> Sword - Swash - Done.
>
> commit 6bfb56e93bcef41859c2d5ab234ffd80b691be35
> "cert host tools: Stop complaining about deprecated OpenSSL functions"

Well, it's not like that is the *right* fix.

But I think for now, the answer is "leave it like that until we can
just get rid of the ENGINE API entirely".

I absolutely detest the "deprecation" warnings. We used to do that in
the kernel too, and it was a complete disaster. The warnings are very
noisy, and nobody ever cares about them, so it's simply not worth it.

So we deprecated "__deprecated" in the kernel itself:

  771c035372a0 deprecate the '__deprecated' attribute warnings
entirely and for good

and I don't think we should care about it when it comes to OpenSSL either.

Eventually, that deprecated interface will go away entirely, and by
then we hopefully don't care about really old openssl implementations
and will have gotten rid of the uses.

But for now, I think putting our head in the sand is actually the
_better_ model rather than fighting some battle over old vs new
libraries.

Because sometimes, if you ignore a problem, it really does just go away.

                  Linus

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ