1 |
On Tue, 29 Dec 2020 23:34:36 +0000 |
2 |
Peter Stuge <peter@×××××.se> wrote: |
3 |
|
4 |
> David Seifert wrote: |
5 |
> > > Maybe because it is so well-known that monoculture is harmful per se, |
6 |
> > > which is why the commitment to choice in Gentoo is very valuable. |
7 |
> > > |
8 |
> > > Further, LibreSSL comes out of the OpenBSD project, which has a good |
9 |
> > > reputation on code quality. |
10 |
> > |
11 |
> > Like strong-arming 99% of the users of OpenSSH because they were |
12 |
> > unwilling to port to the OpenSSL 1.1 API, fully well knowing that most |
13 |
> > of the OpenSSH consuming world doesn't actually use libressl? How is |
14 |
> > explicitly tying OpenSSH to libressl not a form of monoculture? |
15 |
> |
16 |
> Now we're properly off-topic :) but considering that OpenSSH is developed |
17 |
> for OpenBSD and that openssh-portable is merely provided as a service to |
18 |
> other systems it's easy to understand why OpenSSH (remember, part of OpenBSD) |
19 |
> uses the libressl API for crypto, and why the -portable team is not so keen |
20 |
> on maintaining patches for other crypto providers. Another example is systemd |
21 |
> binding tightly to Linux. In both cases it's understandable, but also quite |
22 |
> unfortunate; better portability would be better. |
23 |
|
24 |
I don't have any strong opinions on either side of this argument, I |
25 |
have 1 machine on LibreSSL that I would need to switch, but that is |
26 |
not really a major issue for me. |
27 |
|
28 |
As the person who has been doing a large percentage of the OpenSSH |
29 |
ebuild maintenance for a couple of years now I feel I should |
30 |
mention that while it was the case that OpenSSH would not work with |
31 |
OpenSSL 1.1+ without a (rather large) patch in the past, that has not |
32 |
been the case for some time now. Modern OpenSSH versions work fine with |
33 |
modern OpenSSL versions. |