| 1 |
On Mon, 2021-01-04 at 21:48 +0100, Michał Górny wrote: |
| 2 |
> On Mon, 2021-01-04 at 20:59 +0100, Ulrich Mueller wrote: |
| 3 |
> > > > > > > On Mon, 04 Jan 2021, Michał Górny wrote: |
| 4 |
> > |
| 5 |
> > > Starting 2021-02-01, Gentoo will discontinue supporting |
| 6 |
> > > dev-libs/libressl as an alternative to dev-libs/openssl. While it |
| 7 |
> > > will |
| 8 |
> > |
| 9 |
> > > [...] |
| 10 |
> > |
| 11 |
> > > On 2021-02-01, we will mask the relevant USE flags and packages. |
| 12 |
> > > If |
| 13 |
> > > you |
| 14 |
> > |
| 15 |
> > > [...] |
| 16 |
> > |
| 17 |
> > > necessary to use the user-maintained LibreSSL overlay [1]. As |
| 18 |
> > > long- |
| 19 |
> > > term |
| 20 |
> > |
| 21 |
> > > [...] |
| 22 |
> > |
| 23 |
> > > development gained speed and the original reasons for the fork no |
| 24 |
> > > longer |
| 25 |
> > |
| 26 |
> > > [...] |
| 27 |
> > |
| 28 |
> > > problems were related to packages using old/insecure OpenSSL APIs, |
| 29 |
> > > today |
| 30 |
> > |
| 31 |
> > > [...] |
| 32 |
> > |
| 33 |
> > > To the best of our knowledge, the only benefit LibreSSL has over |
| 34 |
> > > OpenSSL |
| 35 |
> > |
| 36 |
> > This has some strange line breaks now. Please fix. |
| 37 |
> |
| 38 |
> It's just my stupid mail client, please disregard that. |
| 39 |
> |
| 40 |
|
| 41 |
Anyway, the correct paste: |
| 42 |
|
| 43 |
--- |
| 44 |
Title: LibreSSL support discontinued |
| 45 |
Author: Michał Górny <mgorny@g.o> |
| 46 |
Posted: 202x-xx-xx |
| 47 |
Revision: 1 |
| 48 |
News-Item-Format: 2.0 |
| 49 |
Display-If-Installed: dev-libs/libressl |
| 50 |
|
| 51 |
Starting 2021-02-01, Gentoo will discontinue supporting |
| 52 |
dev-libs/libressl as an alternative to dev-libs/openssl. While it will |
| 53 |
still be possible for expert users to use LibreSSL on their systems, |
| 54 |
we are only going to provide support for OpenSSL-based systems. Most |
| 55 |
importantly, we are no longer going to maintain downstream patches for |
| 56 |
LibreSSL support -- it will rely on either package upstreams merging |
| 57 |
such patches themselves, or LibreSSL upstream finally working towards |
| 58 |
better OpenSSL compatibility. |
| 59 |
|
| 60 |
On 2021-02-01, we will mask the relevant USE flags and packages. If you |
| 61 |
wish to continue using LibreSSL, you will be able to undo these masks |
| 62 |
for the time being. However, as packages drop patching for LibreSSL |
| 63 |
and the library is eventually removed from ::gentoo, it will become |
| 64 |
necessary to use the user-maintained LibreSSL overlay [1]. As long-term |
| 65 |
support for LibreSSL is not guaranteed, we recommend switching |
| 66 |
to OpenSSL instead. More information on removal can be found |
| 67 |
on the relevant bug [2]. |
| 68 |
|
| 69 |
To switch before the aforementioned date, remove 'libressl' from your |
| 70 |
USE flags and CURL_SSL targets. Afterwards, it is recommended to |
| 71 |
prefetch all the necessary distfiles before proceeding with the system |
| 72 |
upgrade, in case wget(1) becomes broken in the process: |
| 73 |
|
| 74 |
emerge --fetchonly dev-libs/openssl net-misc/wget |
| 75 |
emerge --fetchonly --deep --changed-use @world |
| 76 |
|
| 77 |
A --changed-use @world upgrade should automatically cause LibreSSL |
| 78 |
to be replaced by OpenSSL, and all affected packages to be rebuilt: |
| 79 |
|
| 80 |
emerge --deselect dev-libs/libressl |
| 81 |
emerge --changed-use --deep @world |
| 82 |
|
| 83 |
|
| 84 |
LibreSSL has been forked off OpenSSL in 2014 to address a number of |
| 85 |
problems with the original package. However, since then OpenSSL |
| 86 |
development gained speed and the original reasons for the fork no longer |
| 87 |
apply. Furthermore, LibreSSL started to repeatedly fall behind |
| 88 |
and cause growing compatibility problems. While initially these |
| 89 |
problems were related to packages using old/insecure OpenSSL APIs, today |
| 90 |
they are mostly related to LibreSSL missing newer OpenSSL APIs |
| 91 |
(yet declaring false compatibility with newer OpenSSL versions). |
| 92 |
|
| 93 |
With the little testing it gets, our developers and users had to put |
| 94 |
a significant effort into fixing upstream packages. In some cases |
| 95 |
(e.g. Qt), upstream has explicitly refused to support LibreSSL, forcing |
| 96 |
us to maintain the patches forever. This in turn means that |
| 97 |
security fixes, regular version bumps or end-user system upgrades are |
| 98 |
often delayed because of necessary LibreSSL patching. What is even |
| 99 |
worse, major runtime issues managed to sneak in that broke production |
| 100 |
systems running LibreSSL in the past. |
| 101 |
|
| 102 |
To the best of our knowledge, the only benefit LibreSSL has over OpenSSL |
| 103 |
right now is the additional libtls library. For this reason, we have |
| 104 |
packaged dev-libs/libretls which is a port of this library that links |
| 105 |
to OpenSSL. |
| 106 |
|
| 107 |
All these issues considered, we came to the conclusion that OpenSSL |
| 108 |
should remain the only supported production option for Gentoo systems. |
| 109 |
While the flexibility of Gentoo should make it possible to keep using |
| 110 |
LibreSSL going forward, the effort necessary to provide first-class |
| 111 |
official support for LibreSSL has proven to outweigh the benefit. |
| 112 |
|
| 113 |
[1] https://gitweb.gentoo.org/repo/proj/libressl.git/tree/README.md |
| 114 |
[2] https://bugs.gentoo.org/762847 |
| 115 |
|
| 116 |
--- |
| 117 |
|
| 118 |
-- |
| 119 |
Best regards, |
| 120 |
Michał Górny |
Archives