| 1 |
Am Dienstag, 29. Dezember 2020, 13:29:35 EET schrieb Peter Stuge: |
| 2 |
> I agree completely that it's unreasonable for Gentoo (worse, 1 person!) |
| 3 |
> to continuosly patch the entire world for libressel. |
| 4 |
> |
| 5 |
> I'm asking to stop doing that, yet still enable the choice between |
| 6 |
> openssl and libressl where that is possible without patches, even |
| 7 |
> if that's only openntpd and one other package. |
| 8 |
|
| 9 |
a) The two cannot be installed concurrently. To fix that would require even |
| 10 |
more hacks. |
| 11 |
-> all relevant ssl consumers on the user's system must be linked against the |
| 12 |
one selected |
| 13 |
|
| 14 |
b) The libraries are not guaranteed to be binary compatible, so switching |
| 15 |
implementation requires rebuilding consumers. Especially since this is a |
| 16 |
security-sensitive package. |
| 17 |
-> all relevant ssl consumers on the user's system must be *built* against the |
| 18 |
one selected |
| 19 |
|
| 20 |
Which leads us to |
| 21 |
|
| 22 |
c) If a single package that the user wants to install is not "fixed" for one |
| 23 |
ssl library, it blocks that option for all packages. |
| 24 |
-> horrible (but real and justified) emerge blockers and general hilarity ensue |
| 25 |
|
| 26 |
I guess if you can come up with a solution that |
| 27 |
* provides secure usage of the libraries, |
| 28 |
* provides choice to the user, and |
| 29 |
* doesn't lead to unupgradeable systems or unresolvable dependencies |
| 30 |
we'd all be happier. So far we haven't found one. |
| 31 |
|
| 32 |
-- |
| 33 |
Andreas K. Hüttel |
| 34 |
dilfridge@g.o |
| 35 |
Gentoo Linux developer |
| 36 |
(council, qa, toolchain, base-system, perl, libreoffice) |
Archives