1 |
On 09/06/2018 10:22, Lars Wendler wrote: |
2 |
> Hello dear Gentoo Devs, |
3 |
> |
4 |
> this is somewhat written out of frustration so please bear with me ;) |
5 |
> |
6 |
> CCing crypto@ in case they can provide some valuable input to the |
7 |
> topic. If not, sorry guys for wasting your time. |
8 |
> |
9 |
> As you might have noticed, although being published back in August |
10 |
> 2016, we still have openssl-1.1 in package.mask due to the numerous |
11 |
> build issues we still have with various packages[1] that uses openssl. |
12 |
> |
13 |
> "Why is that so?" do I hear you asking. "Debian already switched over |
14 |
> to openssl-1.1 for months already". |
15 |
> |
16 |
> Well... the did not entirely switch yet. There are still packages that |
17 |
> are being compiled/linked against openssl-1.0 in Debian because their |
18 |
> respective upstreams refuse to collaborate. |
19 |
> |
20 |
> The most prominent example is openssh[2] which also is the reason that |
21 |
> this topic gives me so much frustration. They simply refuse to add |
22 |
> compatibility code for openssl-1.1 because openssl upstream did such a |
23 |
> silly move with making lots of interfaces opaque and make openssl-1.1 |
24 |
> mostly incompatible with code written against older openssl versions. |
25 |
> |
26 |
> This and the fact that you can build openssl-1.1 with three different |
27 |
> API versions (0.9.8, 1.0.0 and 1.1.0) makes it exceptionally hard for |
28 |
> openssl consumers to migrate their code to openssl-1.1. |
29 |
> |
30 |
> openssh upstream even raised the idea to simply focus crypto support in |
31 |
> their software on libressl which I personally think is a really bad |
32 |
> move. But coming from the same people (openssh and libressl are both |
33 |
> developed by OpenBSD people), it's no big surprise this idea came up at |
34 |
> some point. |
35 |
|
36 |
Is libressl providing an API that is less silly and somehow compatible |
37 |
with applications using the openssl-1.1 API ? |
38 |
|
39 |
Do we have an openssh alternative that is interoperable AND usable? |
40 |
|
41 |
Is it possible to have the never-libressl software use another |
42 |
TLS/crypto provider? |
43 |
|
44 |
lu |