1 |
You may want to update the Project:LibreSSL |
2 |
<https://wiki.gentoo.org/wiki/Project:LibreSSL> page to reflect the |
3 |
decision to drop support for libressl, also you could add a news item to |
4 |
the libressl package with instructions or a link to instructions for |
5 |
migrating back to Openssl. |
6 |
|
7 |
On Mon, 4 Jan 2021 at 09:22, Michał Górny <mgorny@g.o> wrote: |
8 |
|
9 |
> v2, with additional 'emerge --deselect': |
10 |
> --- |
11 |
> Title: LibreSSL support discontinued |
12 |
> Author: Michał Górny <mgorny@g.o> |
13 |
> Posted: 202x-xx-xx |
14 |
> Revision: 1 |
15 |
> News-Item-Format: 2.0 |
16 |
> Display-If-Installed: dev-libs/libressl |
17 |
> |
18 |
> Starting 2021-02-01, Gentoo will no longer actively pursue supporting |
19 |
> dev-libs/libressl as an alternative to dev-libs/openssl. While it will |
20 |
> still be possible for expert users to use LibreSSL on their systems, |
21 |
> we are only going to provide support for OpenSSL-based systems. Most |
22 |
> importantly, we are no longer going to maintain downstream patches for |
23 |
> LibreSSL support -- it will rely on either package upstreams merging |
24 |
> such patches themselves, or LibreSSL upstream finally working towards |
25 |
> better OpenSSL compatibility. |
26 |
> |
27 |
> On 2021-02-01, we will mask the relevant USE flags and packages. If |
28 |
> you |
29 |
> wish to continue using LibreSSL, you will be able to undo these masks |
30 |
> for the time being. However, as packages drop patching for LibreSSL |
31 |
> and the library is eventually removed from ::gentoo, it will become |
32 |
> necessary to use the user-maintained LibreSSL overlay [1]. As long- |
33 |
> term |
34 |
> support for LibreSSL is not guaranteed, we recommend switching |
35 |
> to OpenSSL instead. More information on removal can be found |
36 |
> on the relevant bug [2]. |
37 |
> |
38 |
> To switch before the aforementioned date, remove 'libressl' from your |
39 |
> USE flags and CURL_SSL targets. Afterwards, it is recommended to |
40 |
> prefetch all the necessary distfiles before proceeding with the system |
41 |
> upgrade, in case wget(1) becomes broken in the process: |
42 |
> |
43 |
> emerge --fetchonly dev-libs/openssl net-misc/wget |
44 |
> emerge --fetchonly --changed-use @world |
45 |
> |
46 |
> A --changed-use @world upgrade should automatically cause LibreSSL |
47 |
> to be replaced by OpenSSL, and all affected packages to be rebuilt: |
48 |
> |
49 |
> emerge --deselect dev-libs/libressl |
50 |
> emerge --changed-use @world |
51 |
> |
52 |
> |
53 |
> LibreSSL has been forked off OpenSSL in 2014 to address a number of |
54 |
> problems with the original package. However, since then OpenSSL |
55 |
> development gained speed and the original reasons for the fork no |
56 |
> longer |
57 |
> apply. Furthermore, LibreSSL started to repeatedly fall behind |
58 |
> and cause growing compatibility problems. While initially these |
59 |
> problems were related to packages using old/insecure OpenSSL APIs, |
60 |
> today |
61 |
> they are mostly related to LibreSSL missing newer OpenSSL APIs |
62 |
> (yet declaring false compatibility with newer OpenSSL versions). |
63 |
> |
64 |
> With the little testing it gets, our developers and users had to put |
65 |
> a significant effort into fixing upstream packages. In some cases |
66 |
> (e.g. Qt), upstream has explicitly refused to support LibreSSL, forcing |
67 |
> us to maintain the patches forever. This in turn means that |
68 |
> security fixes, regular version bumps or end-user system upgrades are |
69 |
> often delayed because of necessary LibreSSL patching. What is even |
70 |
> worse, major runtime issues managed to sneak in that broke production |
71 |
> systems running LibreSSL in the past. |
72 |
> |
73 |
> To the best of our knowledge, the only benefit LibreSSL has over |
74 |
> OpenSSL |
75 |
> right now is the additional libtls library. For this reason, we have |
76 |
> packaged dev-libs/libretls which is a port of this library that links |
77 |
> to OpenSSL. |
78 |
> |
79 |
> All these issued considered, we came to the conclusion that OpenSSL |
80 |
> should remain the only supported production option for Gentoo systems. |
81 |
> While the flexibility of Gentoo should make it possible to keep using |
82 |
> LibreSSL going forward, the effort necessary to provide first-class |
83 |
> official support for LibreSSL has proven to outweigh the benefit. |
84 |
> |
85 |
> [1] https://gitweb.gentoo.org/repo/proj/libressl.git/tree/README.md |
86 |
> [2] https://bugs.gentoo.org/762847 |
87 |
> --- |
88 |
> |
89 |
> |
90 |
> |
91 |
> |
92 |
> -- |
93 |
> Best regards, |
94 |
> Michał Górny |
95 |
> |
96 |
> |
97 |
> |
98 |
> |