1 |
On Mon, 2020-12-28 at 22:00 +0000, Peter Stuge wrote: |
2 |
> Michał Górny wrote: |
3 |
> > I would like to discuss the possibility of discontinuing LibreSSL |
4 |
> > support in Gentoo in favor of sticking with OpenSSL. |
5 |
> |
6 |
> I think that's a horrible idea, since Gentoo is about choice and this |
7 |
> particular component is one of the most important in a system. |
8 |
> |
9 |
> But "support" can mean different things... |
10 |
> |
11 |
> |
12 |
> > LibreSSL users, does LibreSSL today have any benefit over OpenSSL? |
13 |
> |
14 |
> Yes, at least two: |
15 |
> |
16 |
> A. It is a distinct implementation with probably /quite some/ stable |
17 |
> compatibility, meaning that it will work perfectly fine as an |
18 |
> alternative in many cases. |
19 |
|
20 |
Except that it doesn't, as has been proven numerous times. |
21 |
|
22 |
> |
23 |
> B. It brings its own TLS API, a unique feature which by itself |
24 |
> warrants |
25 |
> the package. |
26 |
|
27 |
...which by itself has no future and only means some people will create |
28 |
less portable applications and then regret it. |
29 |
|
30 |
> |
31 |
> |
32 |
> > All this considered, provided that nobody is able to find a good |
33 |
> > reason |
34 |
> > to use LibreSSL, I would like to propose that we stop patching |
35 |
> > packages, discontinue support for it and last rite it. |
36 |
> |
37 |
> There is no reason at all to do all three of those atomically: |
38 |
> |
39 |
> 1. Stop patching packages to make them build also against libressl |
40 |
> 2. Stop maintaining libressl-*.ebuild |
41 |
> 3. package.mask |
42 |
> |
43 |
> I think the complaint is really only about 1. and I can understand |
44 |
> that the effort here outweighs the perceived benefit, that's fine, |
45 |
> I don't think it's the responsibility of Gentoo developers to patch |
46 |
> the world to build also against libressl. |
47 |
> |
48 |
> But as long as a single package can be built with either openssl or |
49 |
> libressl without changes I consider it appropriate to maintain both |
50 |
> libressl ebuilds and either virtual/openssl or another way to decide |
51 |
> system-wide to use libressl instead of openssl. This remains very |
52 |
> valuable especially for non-releng stages. |
53 |
> |
54 |
> More elaborate OpenSSL API users can (arguably should) just block on |
55 |
> libressl instead of requiring patch work. |
56 |
|
57 |
It's all nice theory but in practice it means that nobody will be able |
58 |
to install libressl because some important system packages will block |
59 |
it. So we'd effectively waste our users' time pretending that we do |
60 |
support LibreSSL, while anyone actually trying it will hit a brick |
61 |
wall. |
62 |
|
63 |
This sounds like the argument 'let's not remove broken packages, people |
64 |
can read the 5 page forum thread on how to get them to work, |
65 |
somewhat!'. |
66 |
|
67 |
-- |
68 |
Best regards, |
69 |
Michał Górny |