From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id B261D1382C5 for ; Mon, 4 Jan 2021 13:39:38 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 9F715E0982; Mon, 4 Jan 2021 13:39:35 +0000 (UTC) Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6E7FAE0940 for ; Mon, 4 Jan 2021 13:39:35 +0000 (UTC) Received: by mail-lf1-x12a.google.com with SMTP id h205so64326445lfd.5 for ; Mon, 04 Jan 2021 05:39:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=1qqbMI3V45OvQTeUq5QoInZiFPKdFp/58tAOf+8wBpU=; b=llrFtx8Eb181gDgnnRNSOfAuDw0u8b/kBYUBdOmH28GWmmJ2eZmOZrOQuyvYGxg3hK sgVCUGvqwS1EHX91qoURB2QIaa4IuY8G8DxZSmGQVKmxQ1jegLZAy1CNloZEIIu/oXqC hwUntqg3HdJJd00fDY+lktBqrsoeSlXusyYjD5Cic7zwYXAtTf97yQUOkxpPLryUFF/n IMO6NCmUHM1cinlllu8AZfjdkpZlQRbjYn0tBoUempnVzQZzg5NsWEgEI579bmEikAq1 6b2Qbv8Rp4fFpygZG780clELrYsSh3Xhh+gvRPiUftTiqu57LgM3SPTy6Cel4zf7YsTp 4boA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=1qqbMI3V45OvQTeUq5QoInZiFPKdFp/58tAOf+8wBpU=; b=lC0WMOAQYxjduusWrr6lCNedIUSFoZOIBq5JglE6JAL+9Pyn7GAbv7ZjIv8IFg5QSb O66yH7SVoEJ40lZ6DiQkE0f+Or9/SwfeQ+vfP0gn38JEaiUzMzPUHSbSRk+b9YX1RQV5 5dIjseaUSqwb5+tqTEGzTqL7PttJZQTNtWLDwAFV5sRW8xVyY0Z7jyVdtNp7g3CXpHWk 7KDFj9lFukdStyago7Ljxo3rCTP98xcC3zSv+RqNCEPr2wHfvDSRSP4cUUbewFDNg+7S BUp3u1VHs6qvcLxjtt297omYJi6H/tJ2BYTkpnpHU+2dRD4gwrQuQvpPxzRFO3rdsM9g Whhw== X-Gm-Message-State: AOAM533Y6YwJf6sd7q//125wJObq+nXpbxlJ9RckHknpK36Ai/N0ft/x sJfFIBr7C+GZqTD1ycRmnouZe0UYxNt9vHA9ZW5b2Sv2TnzblA== X-Google-Smtp-Source: ABdhPJzDx3nlegrBtJ8vMtoCRzjjH0Er8xTMkkQItx053DbHgWHZumsoAV6q5qvuHzgZzfuu7wWGMrHdmIBjyjjjD0A= X-Received: by 2002:a19:801:: with SMTP id 1mr30515442lfi.113.1609767573730; Mon, 04 Jan 2021 05:39:33 -0800 (PST) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 References: <78a7442c39dd552b0b13353db491c44d04945d51.camel@gentoo.org> <44d6f59ed2ba7b7f3fa9043925b63065cbf1f7b9.camel@gentoo.org> In-Reply-To: <44d6f59ed2ba7b7f3fa9043925b63065cbf1f7b9.camel@gentoo.org> From: Oliver Smeeton Date: Mon, 4 Jan 2021 13:39:26 +0000 Message-ID: Subject: Re: [gentoo-dev] [News review v2] LibreSSL support discontinued To: gentoo-dev@lists.gentoo.org Content-Type: multipart/alternative; boundary="0000000000006739b805b8133899" X-Archives-Salt: aa0019d7-690a-4028-b86a-63aadf158441 X-Archives-Hash: 062de326fd8e7e0c7b61ec7fa1e034fa --0000000000006739b805b8133899 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable You may want to update the Project:LibreSSL page to reflect the decision to drop support for libressl, also you could add a news item to the libressl package with instructions or a link to instructions for migrating back to Openssl. On Mon, 4 Jan 2021 at 09:22, Micha=C5=82 G=C3=B3rny wro= te: > v2, with additional 'emerge --deselect': > --- > Title: LibreSSL support discontinued > Author: Micha=C5=82 G=C3=B3rny > Posted: 202x-xx-xx > Revision: 1 > News-Item-Format: 2.0 > Display-If-Installed: dev-libs/libressl > > Starting 2021-02-01, Gentoo will no longer actively pursue supporting > dev-libs/libressl as an alternative to dev-libs/openssl. While it will > still be possible for expert users to use LibreSSL on their systems, > we are only going to provide support for OpenSSL-based systems. Most > importantly, we are no longer going to maintain downstream patches for > LibreSSL support -- it will rely on either package upstreams merging > such patches themselves, or LibreSSL upstream finally working towards > better OpenSSL compatibility. > > On 2021-02-01, we will mask the relevant USE flags and packages. If > you > wish to continue using LibreSSL, you will be able to undo these masks > for the time being. However, as packages drop patching for LibreSSL > and the library is eventually removed from ::gentoo, it will become > necessary to use the user-maintained LibreSSL overlay [1]. As long- > term > support for LibreSSL is not guaranteed, we recommend switching > to OpenSSL instead. More information on removal can be found > on the relevant bug [2]. > > To switch before the aforementioned date, remove 'libressl' from your > USE flags and CURL_SSL targets. Afterwards, it is recommended to > prefetch all the necessary distfiles before proceeding with the system > upgrade, in case wget(1) becomes broken in the process: > > emerge --fetchonly dev-libs/openssl net-misc/wget > emerge --fetchonly --changed-use @world > > A --changed-use @world upgrade should automatically cause LibreSSL > to be replaced by OpenSSL, and all affected packages to be rebuilt: > > emerge --deselect dev-libs/libressl > emerge --changed-use @world > > > LibreSSL has been forked off OpenSSL in 2014 to address a number of > problems with the original package. However, since then OpenSSL > development gained speed and the original reasons for the fork no > longer > apply. Furthermore, LibreSSL started to repeatedly fall behind > and cause growing compatibility problems. While initially these > problems were related to packages using old/insecure OpenSSL APIs, > today > they are mostly related to LibreSSL missing newer OpenSSL APIs > (yet declaring false compatibility with newer OpenSSL versions). > > With the little testing it gets, our developers and users had to put > a significant effort into fixing upstream packages. In some cases > (e.g. Qt), upstream has explicitly refused to support LibreSSL, forcing > us to maintain the patches forever. This in turn means that > security fixes, regular version bumps or end-user system upgrades are > often delayed because of necessary LibreSSL patching. What is even > worse, major runtime issues managed to sneak in that broke production > systems running LibreSSL in the past. > > To the best of our knowledge, the only benefit LibreSSL has over > OpenSSL > right now is the additional libtls library. For this reason, we have > packaged dev-libs/libretls which is a port of this library that links > to OpenSSL. > > All these issued considered, we came to the conclusion that OpenSSL > should remain the only supported production option for Gentoo systems. > While the flexibility of Gentoo should make it possible to keep using > LibreSSL going forward, the effort necessary to provide first-class > official support for LibreSSL has proven to outweigh the benefit. > > [1] https://gitweb.gentoo.org/repo/proj/libressl.git/tree/README.md > [2] https://bugs.gentoo.org/762847 > --- > > > > > -- > Best regards, > Micha=C5=82 G=C3=B3rny > > > > --0000000000006739b805b8133899 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
You may want to update the Project:LibreSSL page to reflect the decisio= n to drop support for libressl, also you could add a news item to the libre= ssl package with instructions or a link to instructions for migrating back = to Openssl.

On Mon, 4 Jan 2021 at 09:22, Micha=C5=82 G=C3=B3rny <mgorny@gentoo.org> wrote:
v2, with additional '= ;emerge --deselect':
---
Title: LibreSSL support discontinued
Author: Micha=C5=82 G=C3=B3rny <mgorny@gentoo.org>
Posted: 202x-xx-xx
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: dev-libs/libressl

Starting 2021-02-01, Gentoo will no longer actively pursue supporting
dev-libs/libressl as an alternative to dev-libs/openssl.=C2=A0 While it wil= l
still be possible for expert users to use LibreSSL on their systems,
we are only going to provide support for OpenSSL-based systems.=C2=A0 Most<= br> importantly, we are no longer going to maintain downstream patches for
LibreSSL support -- it will rely on either package upstreams merging
such patches themselves, or LibreSSL upstream finally working towards
better OpenSSL compatibility.

On 2021-02-01, we will mask the relevant USE flags and packages.=C2=A0 If you
wish to continue using LibreSSL, you will be able to undo these masks
for the time being.=C2=A0 However, as packages drop patching for LibreSSL and the library is eventually removed from ::gentoo, it will become
necessary to use the user-maintained LibreSSL overlay [1].=C2=A0 As long- term
support for LibreSSL is not guaranteed, we recommend switching
to OpenSSL instead.=C2=A0 More information on removal can be found
on the relevant bug [2].

To switch before the aforementioned date, remove 'libressl' from yo= ur
USE flags and CURL_SSL targets.=C2=A0 Afterwards, it is recommended to
prefetch all the necessary distfiles before proceeding with the system
upgrade, in case wget(1) becomes broken in the process:

=C2=A0 =C2=A0 emerge --fetchonly dev-libs/openssl net-misc/wget
=C2=A0 =C2=A0 emerge --fetchonly --changed-use @world

A --changed-use @world upgrade should automatically cause LibreSSL
to be replaced by OpenSSL, and all affected packages to be rebuilt:

=C2=A0 =C2=A0 emerge --deselect dev-libs/libressl
=C2=A0 =C2=A0 emerge --changed-use @world


LibreSSL has been forked off OpenSSL in 2014 to address a number of
problems with the original package.=C2=A0 However, since then OpenSSL
development gained speed and the original reasons for the fork no
longer
apply.=C2=A0 Furthermore, LibreSSL started to repeatedly fall behind
and cause growing compatibility problems.=C2=A0 While initially these
problems were related to packages using old/insecure OpenSSL APIs,
today
they are mostly related to LibreSSL missing newer OpenSSL APIs
(yet declaring false compatibility with newer OpenSSL versions).

With the little testing it gets, our developers and users had to put
a significant effort into fixing upstream packages.=C2=A0 In some cases
(e.g. Qt), upstream has explicitly refused to support LibreSSL, forcing
us to maintain the patches forever.=C2=A0 This in turn means that
security fixes, regular version bumps or end-user system upgrades are
often delayed because of necessary LibreSSL patching.=C2=A0 What is even worse, major runtime issues managed to sneak in that broke production
systems running LibreSSL in the past.

To the best of our knowledge, the only benefit LibreSSL has over
OpenSSL
right now is the additional libtls library.=C2=A0 For this reason, we have<= br> packaged dev-libs/libretls which is a port of this library that links
to OpenSSL.

All these issued considered, we came to the conclusion that OpenSSL
should remain the only supported production option for Gentoo systems.
While the flexibility of Gentoo should make it possible to keep using
LibreSSL going forward, the effort necessary to provide first-class
official support for LibreSSL has proven to outweigh the benefit.

[1] https://gitweb.gentoo.org/repo/pr= oj/libressl.git/tree/README.md
[2] https://bugs.gentoo.org/762847
---




--
Best regards,
Micha=C5=82 G=C3=B3rny



--0000000000006739b805b8133899--