Re: Bug#754513: ITP: libressl -- SSL library, forked from OpenSSL
Hi,
Thomas Goirand:
> Well, I don't agree with this view. If LibreSSL pretends to be a
> replacement for OpenSSL, then they should care about being ABI
> compatible, so we can easily switch from one implementation to the
> other.
That depends. If the ABI in question includes calls or constants which are
the security equivalent of gets() or scanf("%s") or …, then no.
> As Kurt wrote, GNUTLS becomes a better alternative then.
Does gnutls have an openssl shim which actually works as a generic
replacement? I dimly recall a couple of not-so-nice incompatibilities …
> Therefore, I'd very much prefer if we used OpenSSL *or* LibreSSL, but not
> have the choice between the 2, otherwise, that's a recipe for disaster.
>
Well …
> Please don't upload LibreSSL to Sid *ever*, unless we collectively
> decide that we are switching away from OpenSSL (and for which a
> discussion would have to start).
>
… while IMHO it's possible to safely mix openssl and libressl if we prepare
for that (i.e. make sure that _everything_ in libressl is only exported
with properly versioned symbols), again IMHO the time and effort required
for _that_ would be better spent evaluating the changes both projects made
and then deciding which of the two shall be in Debian.
Both efforts have started fairly recently, so it's kind of premature to do
that now; and while IANARTM (Release Team Member) transitioning the whole
of Debian to libressl closer to the release would not be a good idea even
if we decide it's (going to be) the better alternative.
--
-- Matthias Urlichs
Reply to: