| 1 |
On 04/07/2015 12:06 AM, Paul B. Henson wrote: |
| 2 |
>> From: hasufell |
| 3 |
>> Sent: Sunday, April 05, 2015 4:34 AM |
| 4 |
>> |
| 5 |
>> However, openntpd still compiles with openssl. |
| 6 |
> |
| 7 |
> Well, the current stable openntpd in portage compiles with openssl but that's not surprising as it is ancient and predates libressl :). The current unstable openntpd actually has no ssl dependencies and needs neither openssl nor libressl to compile and function. It is the most recent upstream portable release that added an optional dependency on libressl for tls constraint functionality, that version is not yet in portage. It will work without libressl just as well as the current unstable openntpd does, you just won't have access to the new feature. So it's not really critical, but at some point it would be nice to get it working one way or the other. |
| 8 |
|
| 9 |
I was actually talking about the latest openntpd (5.7p4), but you are |
| 10 |
correct... there is no linkage to openssl. It compiles without the feature. |
| 11 |
|
| 12 |
So, users who want that feature have to: |
| 13 |
a) switch to libressl |
| 14 |
b) provide a patch to openssl upstream to include the feature |
| 15 |
c) maybe provide some other compatibility patch to openntpd upstream? |
| 16 |
|
| 17 |
This is the what improves the linux ecosystem, IMO. Downstream hackery |
| 18 |
does not. |
| 19 |
|
| 20 |
>> By that you are effectively forking libressl and causing a huge mess |
| 21 |
>> downstream for both developers and users. |
| 22 |
> |
| 23 |
> What are the downsides of the approach pkgsrc is tentatively taking, where there are no modifications to libressl but the libraries are installed in an alternative location? Packages that require libressl can just use the appropriate linker options to find those libraries rather than the openssl ones? |
| 24 |
> |
| 25 |
|
| 26 |
Because it breaks FHS. If you do embedded stuff or binpkg things, you'll |
| 27 |
probably do that on purpose. But that shouldn't be default, unless you |
| 28 |
build a proper abstraction layer to allow this system-wide, not just for |
| 29 |
one package. And then you already want to install NixOS, not gentoo... |
| 30 |
again: with the price of breaking FHS completely, which is not trivial. |
| 31 |
|
| 32 |
In addition, it will require patches to a lot of packages. I currently |
| 33 |
don't see a good reason to go through that pain. And I'm one of the few |
| 34 |
who actually work on those ebuilds, not just talk about them. |
| 35 |
|
| 36 |
>> worse. This is something that has to be resolved upstream. If they don't |
| 37 |
>> cooperate long-term, then their fork will just die out for sure (and for |
| 38 |
>> good). However, I currently don't see strong signs for that. |
| 39 |
> |
| 40 |
> I don't think their fork will ever die; even if no one outside of openbsd uses the portable version, it is now the official ssl provider for openbsd and I am sure will continue to be used by them as well as the portable versions of any of their other applications such as openntpd... |
| 41 |
> |
| 42 |
|
| 43 |
Well, if they really screw up openntpd for openssl users, then I expect |
| 44 |
there will be forks/alternatives. I can't really say how critical the |
| 45 |
feature is, but if it's a deal-breaker, then something has to happen. |
| 46 |
Our political voice in that situation would come from NOT fixing it |
| 47 |
downstream, but saying "no, neither openntpd nor libressl will get in |
| 48 |
here in that shape". Given that we've already been contacted to |
| 49 |
endorse/fund/support libressl, I guess we can try to play that card in |
| 50 |
worst case. But again: that's all weather forecast. |
| 51 |
|
| 52 |
|
| 53 |
On another note, the concerns of beaking proprietary software that |
| 54 |
bundles a crapload of broken and vulnerable libraries... is pretty thin |
| 55 |
IMO. I'm not even sure if we as a source distro should care that much |
| 56 |
about this use case to an extent that we break things at other places, |
| 57 |
just to support it. And, I haven't even seen a list of packages that |
| 58 |
would be affected. Worst case there will be an elog about it. |
| 59 |
|
| 60 |
|
| 61 |
I'd like to stick to actual problems for now. |
Archives