1 |
On Tue, 2020-12-29 at 14:57 +0100, m1027 wrote: |
2 |
> > > On 29 Dec 2020, at 09:13, Marcel Schilling |
3 |
> > > <marcel.schilling@××××××××××.de> wrote: |
4 |
> > > |
5 |
> > > I just want to comment that I switched to LibreSSL on several |
6 |
> > > Gentoo systems years ago and never had any major issues. I run |
7 |
> > > both desktop and server systems with LibreSSL, based on X and |
8 |
> > > Wayland. The only issues I ran into is a slight lag of the |
9 |
> > > overlay behind the main tree so once in a while I had to mask a |
10 |
> > > new version of some package for a week or so. |
11 |
> |
12 |
> Let me just come back on the different views here: |
13 |
> |
14 |
> @marcel: Exactly the same here. Smoothly running libressl on dozens |
15 |
> of systems here, from embedded to ryzen servers, even on Gnome |
16 |
> desktops. At least from the libressl *user's* perspective. |
17 |
> |
18 |
> sam: |
19 |
> |
20 |
> > TL;DR: [...libressl patches are...] just crippling functionality. |
21 |
> |
22 |
> @sam: From the perspective of libressl maintainers I have had a hard |
23 |
> time reading this thread ;-) to learn that even security is supposed |
24 |
> to be an issue with libressl today!? Aren't these crippling patches |
25 |
> sometimes even helpful (see some apache patches) to crop unreliable |
26 |
> extra features? I might be wrong here. Actually I'd prefer something |
27 |
> 'boring' and stable on ssl over new features... |
28 |
> |
29 |
> Well, I cannot judge on the security issues in depth. From a short |
30 |
> internet scan I don't see recent libressl issues but e.g. this one |
31 |
> on openssl, https://www.openssl.org/news/vulnerabilities.html, only |
32 |
> three weeks ago. |
33 |
> |
34 |
> Anyway, my personal conclusion on security: |
35 |
> |
36 |
> I've once switched to libressl because of the heartbleed issue. If |
37 |
> security is better with openssl these days, I'd of course switch |
38 |
> back. |
39 |
|
40 |
I can't say anything for sure but it is pretty clear that since |
41 |
Heartbleed the level of auditing OpenSSL is receiving is much greater. |
42 |
I honestly doubt that with its comparatively little user base LibreSSL |
43 |
gets the same level of attention. |
44 |
|
45 |
I don't really have the time or motivation to try to look for LibreSSL |
46 |
security issues. But if there's no CVE for such a core package for two |
47 |
years, it either means that it's really good, that it's practically |
48 |
dead or that nobody is actually releasing CVEs for it. |
49 |
|
50 |
> It might be worth having some warm explanations on the |
51 |
> motivation in eselect NEWS, to help people out of the initial state |
52 |
> of shock. |
53 |
|
54 |
Of course a news item will be released once we determine the proper |
55 |
course of action. |
56 |
|
57 |
> |
58 |
> > > So from a pure user perspective, thing change would mean a risky |
59 |
> > > update |
60 |
> > > to systems running stable for years with no gain whatsoever. |
61 |
> |
62 |
> Coming back on the technical way to switch back to openssl: |
63 |
> |
64 |
> Thanks to Gentoo, isn't the switch back more or less something |
65 |
> predictable like |
66 |
> |
67 |
> - removing libressl USE / CURL flags |
68 |
> |
69 |
> - download everything before compiling (emerge -f ...) |
70 |
> |
71 |
> - removing libressl, installing openssl, maybe wget then, followed |
72 |
> by the rest? |
73 |
> |
74 |
> It plead for something that actually *works* as many systems will |
75 |
> need that change here. |
76 |
> |
77 |
|
78 |
We are currently waiting for test results. We don't want to guess |
79 |
without testing for sure. |
80 |
|
81 |
-- |
82 |
Best regards, |
83 |
Michał Górny |