| 1 |
On Mon, 2020-12-28 at 09:56 +0100, Michał Górny wrote: |
| 2 |
> Hello, developers and Gentoo LibreSSL team. |
| 3 |
> |
| 4 |
> TL;DR: is there really a point in continuing the never-ending always- |
| 5 |
> regressing struggle towards supporting LibreSSL in Gentoo? |
| 6 |
> |
| 7 |
> |
| 8 |
> I would like to discuss the possibility of discontinuing LibreSSL |
| 9 |
> support in Gentoo in favor of sticking with OpenSSL. Similarly how we |
| 10 |
> ended up deciding that fighting for libav was unpractical and the vast |
| 11 |
> majority of users are using ffmpeg (because they didn't really have |
| 12 |
> a choice), today it seems that LibreSSL is suffering the same fate. |
| 13 |
> |
| 14 |
> LibreSSL users, does LibreSSL today have any benefit over OpenSSL? |
| 15 |
> To be honest, I don't think so. In 2014, it might have represented |
| 16 |
> a new quality. But today, OpenSSL is alive and kicking, and LibreSSL |
| 17 |
> finds it hard to keep up. |
| 18 |
> |
| 19 |
> The vast majority of software is not tested against LibreSSL. While |
| 20 |
> patches are usually trivial and we have people that submit them, |
| 21 |
> I find many of them short-sighted. Just look at [1]. Sure, it fixes |
| 22 |
> the build today but it disabled the feature for all foreseeable |
| 23 |
> future. |
| 24 |
> How likely is it that somebody will submit another patch reenabling it |
| 25 |
> with a future LibreSSL version? |
| 26 |
> |
| 27 |
> While normally I strongly prefer submitting such patches upstream, |
| 28 |
> that |
| 29 |
> makes things even worse. I mean, I wouldn't be surprised if there |
| 30 |
> were |
| 31 |
> dozens of packages today that are crippled with LibreSSL just because |
| 32 |
> somebody fixed the build in the past and never revisited the problem. |
| 33 |
> |
| 34 |
> This somewhat resembles running in circles. Packages kept being |
| 35 |
> broken |
| 36 |
> with LibreSSL because rarely anyone is using it. And rarely anyone is |
| 37 |
> using LibreSSL because the apparent benefit (or lack thereof) does not |
| 38 |
> justify the constant breakage (plus invisible regressions). |
| 39 |
> |
| 40 |
> All this considered, provided that nobody is able to find a good |
| 41 |
> reason |
| 42 |
> to use LibreSSL, I would like to propose that we stop patching |
| 43 |
> packages, discontinue support for it and last rite it. |
| 44 |
> |
| 45 |
> |
| 46 |
> [1] https://761981.bugs.gentoo.org/attachment.cgi?id=679892 |
| 47 |
> |
| 48 |
|
| 49 |
As someone who joined the LibreSSL project back in the days, I second |
| 50 |
this. The ROI given the breakages involved and, in many cases, |
| 51 |
downstream patch carrying just doesn't seem like a positive tradeoff. |
| 52 |
The idea was noble, but let's be honest: After 6 years, there's no end |
| 53 |
in sight, and we seem to be going nowhere. |
Archives