<div dir="auto">Maybe /usr location is better. As those snippets should not need to be user editable.<div dir="auto"><br></div><div dir="auto">Similarly we could ship "openssl-enable-tls1.0" snippet.</div><div dir="auto"><br></div><div dir="auto">Somehow users find it easy to install/remove packages to enable/disable configuration.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 16 Jul 2020, 03:57 Dimitri John Ledkov, <<a href="mailto:xnox@ubuntu.com">xnox@ubuntu.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div><br><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 14 Jul 2020, 21:37 Kurt Roeckx, <<a href="mailto:kurt@roeckx.be" target="_blank" rel="noreferrer">kurt@roeckx.be</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, Jul 14, 2020 at 06:22:50PM +0100, Dimitri John Ledkov wrote:<br>
> Package: libssl3<br>
> Version: 3.0.0~~alpha4-1<br>
> Severity: important<br>
> <br>
> Dear Maintainer,<br>
> <br>
> Please stop building legacy provider. None of the algorithms it<br>
> provides are useful, or needed at all.<br>
> <br>
> Please do not not build it nor ship it. Those who need to access that,<br>
> can self build that code.<br>
> <br>
> Alternatively you may choose to provide legacy provider in a separate<br>
> binary package, but imho it must not enter testing or stable releases.<br>
<br>
Applications that want to use the legacy provider will need to<br>
get changed to load them. By default the algorithms will not be<br>
available.<br>
<br>
I'm not sure that not shipping the file improves anything.<br></blockquote></div></div><div dir="auto"><br></div><div dir="auto">To make installing them, automatically opt into using them by loading them into default context with config files without changing applications.</div><div dir="auto"><br></div><div dir="auto">openssl package could ship `.include /etc/ssl/providers.d/` in ssl.conf.</div><div dir="auto"><br></div><div dir="auto">then libssl3-legacy and libssl3-fips could ship snippets in /etc/ssl/providers.d/*.conf, that upon installation load those providers system wide, in the default context.</div><div dir="auto"><br></div><div dir="auto">Without changing applications, a simple purge/install of a package would disable/enable a provider and "make things work" (i.e. fips only, or legacy enabled, etc.).</div><div dir="auto"><br></div><div dir="auto">This would also open up to have GOST and SM9 providers.</div><div dir="auto"><br></div><div dir="auto">Regards,</div><div dir="auto"><br></div><div dir="auto">Dimitri.</div><div dir="auto"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
</blockquote></div></div></div>
</blockquote></div>