| 1 |
On 5 April 2015 at 05:44, Paul B. Henson <henson@×××.org> wrote: |
| 2 |
> I guess I'll just let this simmer for now and see how things develop. My |
| 3 |
> preference (I think, at least at the moment) would be for both |
| 4 |
> implementations to be able to coexist, like openssl and gnutls. It looks |
| 5 |
> like that's the way it's heading in pkgsrc (the other place I'm |
| 6 |
> maintaining openntpd), which should make things relatively simple there. |
| 7 |
> If that's not going to be an option with Gentoo hopefully the best |
| 8 |
> alternative will become clearer at some point ;). |
| 9 |
|
| 10 |
|
| 11 |
The problem with that is that now you have to make sure that transitive |
| 12 |
dependencies are still functional. |
| 13 |
|
| 14 |
Since as you point out the two packages are vastly API compatible, it makes |
| 15 |
them ABI incompatible and conflicting. The functions can have the same |
| 16 |
name, and vastly the same parameters, but they may be using different size |
| 17 |
for data, for instance. I pointed this out last year[1][2] already. |
| 18 |
|
| 19 |
Symbol collision is a nasty problem because it's almost invisible as long |
| 20 |
as the API/ABI is close enough, but for libraries like OpenSSL/LibreSSL, |
| 21 |
this is a huge security risk, too. |
| 22 |
|
| 23 |
[1] https://blog.flameeyes.eu/2014/07/libressl-drop-in-and-abi-leakage |
| 24 |
[2] https://blog.flameeyes.eu/2014/07/libressl-and-the-bundled-libs-hurdle |
| 25 |
|
| 26 |
Diego Elio Pettenò — Flameeyes |
| 27 |
https://blog.flameeyes.eu/ |
Archives