Switch hashing from openssl to libsodium, drop openssl dependency #5681
Conversation
|
Dropping MD5 or SHA1 is not an option because it would make it impossible to build old Nixpkgs versions. |
|
Note that we used to have our own copy of MD5 and SHA1 in-tree (removed in a6ca68a), so we could restore those. |
|
Thanks, I'll look into it. |
This commit partially reverts a6ca68a, reviving in-tree implementations of MD5 and SHA-1, but not SHA-256. For SHA-256 and SHA-512, libsodium implementations are used.
t184256
force-pushed
the
openssl-to-libsodium
branch
from
7faea7a
to
4b34ab4
Compare
t184256
changed the title
|
OK, taking the suggested mix-and-match way of restoring bundled SHA-1/MD5, but using SHA-2 from libsodium. Removing Draft because in this form it doesn't sound too scary to land. Do we have at least some plans to retire MD5/SHA-1? Gate them behind a config option and flip it to 0 in Nix 3.0, maybe? |
|
re CI failure: |
|
@t184256 Yes, you can ignore that. |
|
Unfortunately this slows down hashing a lot (except for md5). Tested on a 2.9 GiB file, before: After: Especially sha256 is critical, we can't slow it down. Edit: it appears that libsodium doesn't have SSE/AVX-optimized versions of sha256/sha512. |
|
It's also worth noting that dropping the openssl dependency in itself does not reduce Nix's closure size, since libcurl still depends on it. |
|
Sigh. OK, I tried =) Feel free to close it for the better times. |
|
Yeah, I've noticed that, but that depends on what libcurl's compiled with. For my purposes, I was going to switch libcurl to something else as well. |
|
I marked this as stale due to inactivity. → More info |
If anybody's interested in dropping the openssl dependency in favor of libsodium, here's my attempt at it.
Marking as a draft because libsodium doesn't have MD5 and SHA-1, so we'd have to deprecate them first.