1 |
Am Dienstag, 29. Dezember 2020, 13:29:35 EET schrieb Peter Stuge: |
2 |
> I agree completely that it's unreasonable for Gentoo (worse, 1 person!) |
3 |
> to continuosly patch the entire world for libressel. |
4 |
> |
5 |
> I'm asking to stop doing that, yet still enable the choice between |
6 |
> openssl and libressl where that is possible without patches, even |
7 |
> if that's only openntpd and one other package. |
8 |
|
9 |
a) The two cannot be installed concurrently. To fix that would require even |
10 |
more hacks. |
11 |
-> all relevant ssl consumers on the user's system must be linked against the |
12 |
one selected |
13 |
|
14 |
b) The libraries are not guaranteed to be binary compatible, so switching |
15 |
implementation requires rebuilding consumers. Especially since this is a |
16 |
security-sensitive package. |
17 |
-> all relevant ssl consumers on the user's system must be *built* against the |
18 |
one selected |
19 |
|
20 |
Which leads us to |
21 |
|
22 |
c) If a single package that the user wants to install is not "fixed" for one |
23 |
ssl library, it blocks that option for all packages. |
24 |
-> horrible (but real and justified) emerge blockers and general hilarity ensue |
25 |
|
26 |
I guess if you can come up with a solution that |
27 |
* provides secure usage of the libraries, |
28 |
* provides choice to the user, and |
29 |
* doesn't lead to unupgradeable systems or unresolvable dependencies |
30 |
we'd all be happier. So far we haven't found one. |
31 |
|
32 |
-- |
33 |
Andreas K. Hüttel |
34 |
dilfridge@g.o |
35 |
Gentoo Linux developer |
36 |
(council, qa, toolchain, base-system, perl, libreoffice) |