Re: Bug#754513: ITP: libressl -- SSL library, forked from OpenSSL

To: Matthias Urlichs <matthias@urlichs.de>
Cc: debian-devel@lists.debian.org, 754513@bugs.debian.org
Subject: Re: Bug#754513: ITP: libressl -- SSL library, forked from OpenSSL
From: Mike Hommey <mh@glandium.org>
Date: Sun, 13 Jul 2014 19:54:59 +0900
Message-id: <[🔎] 20140713105459.GA16846@glandium.org>
Mail-followup-to: Matthias Urlichs <matthias@urlichs.de>, debian-devel@lists.debian.org, 754513@bugs.debian.org
In-reply-to: <[🔎] 20140713061751.GA15420@smurf.noris.de>
References: <[🔎] 20140711220627.24261.14073.reportbug@spruce.wiehl.oeko.net> <20140712112547.GA17955@roeckx.be> <20140712115345.GA10308@spruce.wiehl.oeko.net> <[🔎] 20140712121513.GA18849@roeckx.be> <[🔎] 20140712124645.GB10308@spruce.wiehl.oeko.net> <[🔎] 53C20278.1010605@debian.org> <[🔎] 20140713061751.GA15420@smurf.noris.de>

On Sun, Jul 13, 2014 at 08:17:51AM +0200, Matthias Urlichs wrote:
> Hi,
> 
> Thomas Goirand:
> > Well, I don't agree with this view. If LibreSSL pretends to be a
> > replacement for OpenSSL, then they should care about being ABI
> > compatible, so we can easily switch from one implementation to the
> > other.
> 
> That depends. If the ABI in question includes calls or constants which are
> the security equivalent of gets() or scanf("%s") or …, then no.
> 
> > As Kurt wrote, GNUTLS becomes a better alternative then.
> 
> Does gnutls have an openssl shim which actually works as a generic
> replacement? I dimly recall a couple of not-so-nice incompatibilities …
> 
> > Therefore, I'd very much prefer if we used OpenSSL *or* LibreSSL, but not
> > have the choice between the 2, otherwise, that's a recipe for disaster.
> > 
> Well …
> 
> > Please don't upload LibreSSL to Sid *ever*, unless we collectively
> > decide that we are switching away from OpenSSL (and for which a
> > discussion would have to start).
> > 
> … while IMHO it's possible to safely mix openssl and libressl if we prepare
> for that (i.e. make sure that _everything_ in libressl is only exported 
> with properly versioned symbols)

Contrary to what you seem to believe, this only really works if *both*
libraries have versioned symbols. Otherwise, you can end up with
libraries linked against the unversioned one using symbols from the
versioned one at run time when both are loaded in the same address
space.

Mike

Reply to:

Follow-Ups:
- Re: Bug#754513: ITP: libressl -- SSL library, forked from OpenSSL
  - From: "Bernhard R. Link" <brlink@debian.org>

References:
- Bug#754513: ITP: libressl -- SSL library, forked from OpenSSL
  - From: Toni Mueller <support@oeko.net>
- Re: Bug#754513: ITP: libressl -- SSL library, forked from OpenSSL
  - From: Kurt Roeckx <kurt@roeckx.be>
- Re: Bug#754513: ITP: libressl -- SSL library, forked from OpenSSL
  - From: Toni Mueller <toni@debian.org>
- Re: Bug#754513: ITP: libressl -- SSL library, forked from OpenSSL
  - From: Thomas Goirand <zigo@debian.org>
- Re: Bug#754513: ITP: libressl -- SSL library, forked from OpenSSL
  - From: Matthias Urlichs <matthias@urlichs.de>

Prev by Date: DD's cheat card (was Re: Bug#754416: makefs: FTBFS on mips: Must set MACHINE_ARCH to one of mipseb or mipsel)
Next by Date: Re: DD's cheat card (was Re: Bug#754416: makefs: FTBFS on mips: Must set MACHINE_ARCH to one of mipseb or mipsel)
Previous by thread: Re: Bug#754513: ITP: libressl -- SSL library, forked from OpenSSL
Next by thread: Re: Bug#754513: ITP: libressl -- SSL library, forked from OpenSSL
Index(es):
- Date
- Thread