1 |
On 12/28/20 3:56 AM, Michał Górny wrote: |
2 |
> Hello, developers and Gentoo LibreSSL team. |
3 |
> |
4 |
> TL;DR: is there really a point in continuing the never-ending always- |
5 |
> regressing struggle towards supporting LibreSSL in Gentoo? |
6 |
> |
7 |
> |
8 |
> I would like to discuss the possibility of discontinuing LibreSSL |
9 |
> support in Gentoo in favor of sticking with OpenSSL. Similarly how we |
10 |
> ended up deciding that fighting for libav was unpractical and the vast |
11 |
> majority of users are using ffmpeg (because they didn't really have |
12 |
> a choice), today it seems that LibreSSL is suffering the same fate. |
13 |
> |
14 |
> LibreSSL users, does LibreSSL today have any benefit over OpenSSL? |
15 |
> To be honest, I don't think so. In 2014, it might have represented |
16 |
> a new quality. But today, OpenSSL is alive and kicking, and LibreSSL |
17 |
> finds it hard to keep up. |
18 |
> |
19 |
> The vast majority of software is not tested against LibreSSL. While |
20 |
> patches are usually trivial and we have people that submit them, |
21 |
> I find many of them short-sighted. Just look at [1]. Sure, it fixes |
22 |
> the build today but it disabled the feature for all foreseeable future. |
23 |
> How likely is it that somebody will submit another patch reenabling it |
24 |
> with a future LibreSSL version? |
25 |
> |
26 |
> While normally I strongly prefer submitting such patches upstream, that |
27 |
> makes things even worse. I mean, I wouldn't be surprised if there were |
28 |
> dozens of packages today that are crippled with LibreSSL just because |
29 |
> somebody fixed the build in the past and never revisited the problem. |
30 |
> |
31 |
> This somewhat resembles running in circles. Packages kept being broken |
32 |
> with LibreSSL because rarely anyone is using it. And rarely anyone is |
33 |
> using LibreSSL because the apparent benefit (or lack thereof) does not |
34 |
> justify the constant breakage (plus invisible regressions). |
35 |
> |
36 |
> All this considered, provided that nobody is able to find a good reason |
37 |
> to use LibreSSL, I would like to propose that we stop patching |
38 |
> packages, discontinue support for it and last rite it. |
39 |
> |
40 |
> |
41 |
> [1] https://761981.bugs.gentoo.org/attachment.cgi?id=679892 |
42 |
> |
43 |
|
44 |
I'm the current project lead. I inherited it back in the day from |
45 |
hasufel. It originally had promise of being better than openssl with |
46 |
100% compatibility. I hung on because I trusted that team but it has |
47 |
become more of a hassle than its worth. I am in favor of removing it. |
48 |
If we decide to do so, how should we proceed? |
49 |
|
50 |
-- |
51 |
Anthony G. Basile, Ph.D. |
52 |
Gentoo Linux Developer [Hardened] |
53 |
E-Mail : blueness@g.o |
54 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
55 |
GnuPG ID : F52D4BBA |