wolfssl has no active maintainer, plenty of open security issues and we already
have too many TLS libraries in our releases. Keep it out of testing. I'm going
to file bugs against the handful of reverse deps.

Cheers,
        Moritz

Hi,

Sorry, I have been out ill, but please do what you think is right.

Kind regards
Felix

Hi,

FWIW, version 5.5.3-1 was accepted into the NEW queue.

Kind regards
Felix Lechner

As a new maintainer has stepped up, this cannot be the reason anymore to dump the package.
Actually, with the next version of swupdate (one of those handful) I wanted to switch from OpenSSL
to SWUpdate.

It would also be interesting for Debian's downstreams who take a different approach to combining
OpenSSL with GPL-2-only packages (licenses are incompatible, which Debian heals with the application
of the GPL-built-in system library exception). Ubuntu and probably others do not take the same stand
and wolfSSL is really the only TLS library that has a usable OpenSSL compatibility layer.

If it helps, I can support the new maintainer.

Hi,

I also just uploaded a backport for bullseye.

Kind regards,
Felix Lechner

We're glad to hear, there's a new maintainer.

OSADL is supporting Bastian with his work on SWUpdate. Quite a few of
our members are concerned about the license incompatibility issue
mentioned above. Therefore, there is considerable interest in using
WolfSSL as an alternative to OpenSSL in SWUpdate (and other packages).

Greetings,
	Jan

It would be great to address the CVEs with patches on 4.6.0+p1-0+deb11u1.
This would actually be helpful and will maybe convince the Security Team to keep wolfSSL in bookworm.
I am not able to identify the fixes for the CVEs quickly but I see that Jacob is affiliated with wolfSSL Inc.
so he is probably better equipped to do so. Jacob, would you please do those CVE fix backports?

Thanks Bastian, will take a look at adding the patches on 4.6.0+p1-0+deb11u1.

It would be great to address the CVEs with patches on 4.6.0+p1-0+deb11u1.
This would actually be helpful and will maybe convince the Security Team to keep wolfSSL in bookworm.
I am not able to identify the fixes for the CVEs quickly but I see that Jacob is affiliated with wolfSSL Inc.
so he is probably better equipped to do so. Jacob, would you please do those CVE fix backports?

Hi,

A proposed update for the 11.6 point release of bullseye, which is
scheduled for next weekend, was filed with the release team. [1] They
were also contacted for guidance via IRC.

Kind regards
Felix Lechner

[1] https://bugs.debian.org/1025789

cc: Security Team

As there are no real plan to provide QUIC support in OpenSSL 3 and the
performance regressions of OpenSSL 3 are quite important, I may also
switch HAProxy to WolfSSL.

Am Wed, Nov 16, 2022 at 03:27:53PM +0100 schrieb Jan Altenberg:

OSADL can relicense swupdate to GPL-2.0+ or GPL3.0 to address this,
has that been considered/is it being worked on?

Cheers,
        Moritz

Hi,

I uploaded version 5.5.4-1, which was released last week, to the archive.

Kind regards
Felix Lechner

Can this be closed?  Are there any action items remaining for this bug?

I am still getting messages that packages depending on wolfssl are
"marked for autoremoval from testing on 2023-01-27"

Thank you.  Glenn

Control: severity -1 important
Control: retitle -1 Make it clear that wolfssl is only for packages that cannot use openssl

After some more messages with Moritz, wolfssl can be kept in bookworm under some conditions.
It must only be used in packages that cannot use openssl so that people can harden their
openssl setup and most packages are affected.

wolfssl's debian/README.Debian file should prominently state something like the following:
"wolfSSL is solely provided as an alternative to OpenSSL for packages whose licenses are incompatible with Apache-2.0."

Please make sure to edit that file before bookworm is released.
Maybe the package description should contain this as well.

We believe that the bug you reported is fixed in the latest version of
wolfssl, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1023697@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Felix Lechner <felix.lechner@lease-up.com> (supplier of updated wolfssl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Mon, 06 Feb 2023 06:41:53 -0800
Source: wolfssl
Architecture: source
Version: 5.5.4-2
Distribution: unstable
Urgency: medium
Maintainer: Jacob Barthelmeh <sirkilamole@msn.com>
Changed-By: Felix Lechner <felix.lechner@lease-up.com>
Closes: 1023697 1030634
Changes:
 wolfssl (5.5.4-2) unstable; urgency=medium
 .
   * Clarify in README.Debian and in the package descriptions that wolfssl is
     only for packages that cannot use openssl. (Closes: #1023697)
   * Drop d/salsa-ci.yml. (Closes: #1030634)
Checksums-Sha1:
 13c134cfdc7077d9ac9dcf70e7e1d7d88a2e932a 2343 wolfssl_5.5.4-2.dsc
 9f52e5539fb4973e10cdd38df51450126f07e53e 31792 wolfssl_5.5.4-2.debian.tar.xz
 1f823211b9b1c6906d49a048e17402a2a841ed77 5852 wolfssl_5.5.4-2_source.buildinfo
Checksums-Sha256:
 a6dfd792b26be8f1b42cf229e27f2720f0eed7d9c9705dd045d7493994ea9220 2343 wolfssl_5.5.4-2.dsc
 686547f6157fa4828488f010872ab2a92ed867dfe7666086da84635590ecf8a5 31792 wolfssl_5.5.4-2.debian.tar.xz
 15c0d80c53cc06b0d66c46996e2eba018fed4d2dcb2751a9070576fa4f829b16 5852 wolfssl_5.5.4-2_source.buildinfo
Files:
 5d54123aa546dd2fa7edbb2933341117 2343 libs optional wolfssl_5.5.4-2.dsc
 1be68a35449ec2f51c4410754951da12 31792 libs optional wolfssl_5.5.4-2.debian.tar.xz
 0fbcb378f42b78899e81acde651807fb 5852 libs optional wolfssl_5.5.4-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQKvBAEBCgCZFiEE8E0cIgLi+g0BiFTarFipTxFhjuAFAmPhE61fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEYw
NEQxQzIyMDJFMkZBMEQwMTg4NTREQUFDNThBOTRGMTE2MThFRTAbHGZlbGl4Lmxl
Y2huZXJAbGVhc2UtdXAuY29tAAoJEKxYqU8RYY7gulkP/jXB/O+bvvXPwouUeQjY
XGCs8cF9U+NXiz4NG6sN1/TUH3HnOWgG5e7xuLAsryRzwP4iY+YFZrgI1mwbX4Za
VbztJwhOTynPgMCZUhe8dPe8/BszKfdYlmyht0w+Z79hD0Tlw8Sz+fclFe/f2cUy
R10RmzZ27XopW5lUUhx97m0/BHI07wARsS+t5vNLjwksuoA2jE2HWtkZh8BqdsmW
yCBr+rIxNvzoSQLhaPPjPDgn2VqqNxD9ntXc+Mqc9mSUXlLYwGWspk5cmwce3YFh
EWEkr1VfyTc9n1qNPsDwSIlSLzpg/P4Cb70rzeCkpU0OHz5SKzpeO4eH9pj73aEj
rrChbx8Plq0BDNZspq/wdKYo3LqUkJPDMp5z3iqNIIGXZmWD9xVr9hLyyhXvQlTN
Uu36GxI9wYJ+YQIwrkgHrVVYJHMKRJttqFv6VxlJzgR6NPX7Jy+QZ3LKKsZxtz2f
nTr5HL/LR5DbCjC64Xh+1zTINF9EzoCFmHO5eA3MgXuxnk5cqxfYkLzS7BcQrKuU
hUNflr0lng8/E5q1TLE7m6Th6XE4qjqCSh5mQxUnW0bofwGfts6RDcMa4czMGoVr
inlG9KOtf+Cf/sHkirolbDVmzvGXXZkc9REWY+JY5Vj5drSOqqVl+MkiIUaOqz18
NiIJ1AcMpZ1718cTStXUpeom
=AvlL
-----END PGP SIGNATURE-----

Please note that the two latest wolfssl releases are licensed under
GPL-3+. So the software set that can use this as an OpenSSL (which is
licensed under Apache-2 nowadays) replacement is empty now.

So the only allowed use case regulated by this bug, originating from the
Release Team's requirement is not applicable anymore. I am writing this
to notify the Release Team about the change.

The only package depending on wolfssl that does not have an alternative
implemented with OpenSSL is vdeplug-agno currently. kamailio and
lighttpd can just drop their wolfssl-built binary packages.

Upstream grants GPL-2 via exceptions for specific free software, so the
allowed use case is not void anymore. I have switched swupdate to build
with wolfssl again.

I am going to move away from wolfssl for swupdate. This was
brought up again because wolfssl does not publish stable updates.
Also, I will no longer NMU-maintain this package, so the state is the
same as when the bug was filed.