[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#754513: ITP: libressl -- SSL library, forked from OpenSSL

Hi Kurt,

[ I have trimmed the Cc list - we are all on devel@, anyway, right? ]

On Sat, Jul 12, 2014 at 02:15:13PM +0200, Kurt Roeckx wrote:
> On Sat, Jul 12, 2014 at 01:53:45PM +0200, Toni Mueller wrote:
> > On Sat, Jul 12, 2014 at 01:25:47PM +0200, Kurt Roeckx wrote:
> > > What are you doing with the binaries, include files, man pages,
> > > ...?  Will they conflict with the ones from openssl?
> > 
> > my intention is to package this stuff so one can have both openssl and
> > libressl installed in parallel. libressl currently has libraries with
> > these sonames:
> > 
> > libssl.so.26
> > libcrypto.so.29
> I don't really like it, since it could potentionally clash with
> the ones provided by openssl.  But it seems unlikely that openssl
> will ever use that as soname.
> I had the feeling openbsd didn't care much about ABI stability,
> and that being at 26 and 29 already doesn't give me a good feeling
> either.  I hope you don't have to go and change the binary package
> names each time you upload a new version.

Actually, these version numbers typically correspond with the version
numbers in the rest of their system. As libressl is currently under
heavy development, it is imho not to be expected to have that stable ABI
you are asking for. OTOH, one guy already switched his entire Linux
system over, so far with no visible adverse effects.

> I was never very happy with it either.  But it has very recently
> changed, and I think it's going in the right direction.  I'm now
> also in the openssl development team.

Good. That does help to improve my trust with it.

> I'm not really sure what you mean by this.  I'm pretty sure the
> openssl development team has a pretty good understanding of
> security and I don't see anybody adding a backdoor in it.

Ok, but for whatever reason, they have an imho not as shiny track
record, as has OpenBSD. Which is no wonder, given all the revelations we
have had recently, but hey, sometimes one has to make a decision.

> > FWIW, I have well over a decade of very good experience with OpenBSD
> Not everybody has the same experience with them.

Yes. Not everybody has an intention to use LibreSSL, either, but
regarding crypto, they usually know their stuff well above average. See
eg. their OpenSSH, which has seen very widespread adoption.

> I think GnuTLS is actually a better alternative and wish there
> were more people developing and using it.

But developing GnuTLS is a full-time job, and then there's the control
problem with the FSF - you are certainly aware about the problems the
original upstream ran into when he wanted to break loose from the FSF
(for a reason I have forgotten). LibreSSL is a much lower-hanging fruit,
as it is supposed to be mostly, or entirely, plug-compatible with
OpenSSL. To me, the playing field largely looks like this atm:

 * GnuTLS, with an API incompatible with OpenSSL, thus requiring huge
   amounts of work to make significant use of it.
 * MatrixSSL, which once had a dubious license, and which still did not
   come out too well in the SSL lib comparison I recently saw (see the
   list archive),
 * the now newly staffed OpenSSL project, with their mixed track
   record (eg. "FIPS"), and now
 * LibreSSL, which sounds much like an OpenSSL on a diet, and with some
   exercise, and promising thrust behind it, but mostly simply a

And I guess the BoringSSL people will chime in sooner or later, too...

Kind regards,

Reply to: