| 1 |
On Tue, Dec 29, 2020 at 02:57:12PM +0100, m1027 wrote: |
| 2 |
> > > On 29 Dec 2020, at 09:13, Marcel Schilling |
| 3 |
> > > <marcel.schilling@××××××××××.de> wrote: |
| 4 |
> > > |
| 5 |
> > > I just want to comment that I switched to LibreSSL on several |
| 6 |
> > > Gentoo systems years ago and never had any major issues. I run |
| 7 |
> > > both desktop and server systems with LibreSSL, based on X and |
| 8 |
> > > Wayland. The only issues I ran into is a slight lag of the |
| 9 |
> > > overlay behind the main tree so once in a while I had to mask a |
| 10 |
> > > new version of some package for a week or so. |
| 11 |
> |
| 12 |
> Let me just come back on the different views here: |
| 13 |
> |
| 14 |
> @marcel: Exactly the same here. Smoothly running libressl on dozens |
| 15 |
> of systems here, from embedded to ryzen servers, even on Gnome |
| 16 |
> desktops. At least from the libressl *user's* perspective. |
| 17 |
> |
| 18 |
> sam: |
| 19 |
> |
| 20 |
> > TL;DR: [...libressl patches are...] just crippling functionality. |
| 21 |
> |
| 22 |
> @sam: From the perspective of libressl maintainers I have had a hard |
| 23 |
> time reading this thread ;-) to learn that even security is supposed |
| 24 |
> to be an issue with libressl today!? Aren't these crippling patches |
| 25 |
> sometimes even helpful (see some apache patches) to crop unreliable |
| 26 |
> extra features? I might be wrong here. Actually I'd prefer something |
| 27 |
> 'boring' and stable on ssl over new features... |
| 28 |
> |
| 29 |
> Well, I cannot judge on the security issues in depth. From a short |
| 30 |
> internet scan I don't see recent libressl issues but e.g. this one |
| 31 |
> on openssl, https://www.openssl.org/news/vulnerabilities.html, only |
| 32 |
> three weeks ago. |
| 33 |
|
| 34 |
That particular vulnerability (CVE-2020-1971) affects both libressl and openssl, and |
| 35 |
Gentoo has bugs for both. |
| 36 |
|
| 37 |
https://bugs.gentoo.org/759079 |
| 38 |
https://bugs.gentoo.org/759175 |
| 39 |
|
| 40 |
The openssl bug has been fixed, but the libressl bug remains open, |
| 41 |
despite both being opened within two days of each (and now existing |
| 42 |
for several weeks). |
Archives