1 |
> > On 29 Dec 2020, at 09:13, Marcel Schilling |
2 |
> > <marcel.schilling@××××××××××.de> wrote: |
3 |
> > |
4 |
> > I just want to comment that I switched to LibreSSL on several |
5 |
> > Gentoo systems years ago and never had any major issues. I run |
6 |
> > both desktop and server systems with LibreSSL, based on X and |
7 |
> > Wayland. The only issues I ran into is a slight lag of the |
8 |
> > overlay behind the main tree so once in a while I had to mask a |
9 |
> > new version of some package for a week or so. |
10 |
|
11 |
Let me just come back on the different views here: |
12 |
|
13 |
@marcel: Exactly the same here. Smoothly running libressl on dozens |
14 |
of systems here, from embedded to ryzen servers, even on Gnome |
15 |
desktops. At least from the libressl *user's* perspective. |
16 |
|
17 |
sam: |
18 |
|
19 |
> TL;DR: [...libressl patches are...] just crippling functionality. |
20 |
|
21 |
@sam: From the perspective of libressl maintainers I have had a hard |
22 |
time reading this thread ;-) to learn that even security is supposed |
23 |
to be an issue with libressl today!? Aren't these crippling patches |
24 |
sometimes even helpful (see some apache patches) to crop unreliable |
25 |
extra features? I might be wrong here. Actually I'd prefer something |
26 |
'boring' and stable on ssl over new features... |
27 |
|
28 |
Well, I cannot judge on the security issues in depth. From a short |
29 |
internet scan I don't see recent libressl issues but e.g. this one |
30 |
on openssl, https://www.openssl.org/news/vulnerabilities.html, only |
31 |
three weeks ago. |
32 |
|
33 |
Anyway, my personal conclusion on security: |
34 |
|
35 |
I've once switched to libressl because of the heartbleed issue. If |
36 |
security is better with openssl these days, I'd of course switch |
37 |
back. It might be worth having some warm explanations on the |
38 |
motivation in eselect NEWS, to help people out of the initial state |
39 |
of shock. |
40 |
|
41 |
> > So from a pure user perspective, thing change would mean a risky update |
42 |
> > to systems running stable for years with no gain whatsoever. |
43 |
|
44 |
Coming back on the technical way to switch back to openssl: |
45 |
|
46 |
Thanks to Gentoo, isn't the switch back more or less something |
47 |
predictable like |
48 |
|
49 |
- removing libressl USE / CURL flags |
50 |
|
51 |
- download everything before compiling (emerge -f ...) |
52 |
|
53 |
- removing libressl, installing openssl, maybe wget then, followed |
54 |
by the rest? |
55 |
|
56 |
It plead for something that actually *works* as many systems will |
57 |
need that change here. |
58 |
|
59 |
Thanks |