1 |
On 5 April 2015 at 05:44, Paul B. Henson <henson@×××.org> wrote: |
2 |
> I guess I'll just let this simmer for now and see how things develop. My |
3 |
> preference (I think, at least at the moment) would be for both |
4 |
> implementations to be able to coexist, like openssl and gnutls. It looks |
5 |
> like that's the way it's heading in pkgsrc (the other place I'm |
6 |
> maintaining openntpd), which should make things relatively simple there. |
7 |
> If that's not going to be an option with Gentoo hopefully the best |
8 |
> alternative will become clearer at some point ;). |
9 |
|
10 |
|
11 |
The problem with that is that now you have to make sure that transitive |
12 |
dependencies are still functional. |
13 |
|
14 |
Since as you point out the two packages are vastly API compatible, it makes |
15 |
them ABI incompatible and conflicting. The functions can have the same |
16 |
name, and vastly the same parameters, but they may be using different size |
17 |
for data, for instance. I pointed this out last year[1][2] already. |
18 |
|
19 |
Symbol collision is a nasty problem because it's almost invisible as long |
20 |
as the API/ABI is close enough, but for libraries like OpenSSL/LibreSSL, |
21 |
this is a huge security risk, too. |
22 |
|
23 |
[1] https://blog.flameeyes.eu/2014/07/libressl-drop-in-and-abi-leakage |
24 |
[2] https://blog.flameeyes.eu/2014/07/libressl-and-the-bundled-libs-hurdle |
25 |
|
26 |
Diego Elio Pettenò — Flameeyes |
27 |
https://blog.flameeyes.eu/ |