[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#754513: RFP: libressl -- SSL library, forked from OpenSSL

On Mon, Oct 16, 2017 at 05:29:09PM +0100, Colin Watson wrote:

> > * Package name    : libressl
> Furthermore, the OpenSSL maintainers in Debian now want to drop their
> 1.0 compatibility packages, which the Debian OpenSSH packages rely on.
> I can't exactly fault them for wanting to reduce their maintenance
> burden, but it is going to put me in a very difficult position soon; and
> I assume that they don't actually want to break OpenSSH either.

Sounds like a great opportunity: the libressl package can fill the 1.0
API void left behind without libressl and openssl packages having to
conflict with each other (except possibly for the -dev packages).

Personally I think LibreSSL is in a much better shape than OpenSSL, and
despite fears of OpenBSD only caring about themselves, I have found that
it is easier to compile LibreSSL for various platforms (even non-POSIX
ones) than OpenSSL. And that APIs might be broken more easily by LibreSSL
is ridiculous, as it is OpenSSL iself that has changed its API in a
non-backwards compatible way that is now causing this discussion.

> The OpenSSH developers are starting to talk about bundling LibreSSL to
> avoid this problem [3], noting that OpenBSD and Apple already link
> OpenSSH against LibreSSL.  (Note that OpenSSH only uses libcrypto, not
> libssl, so while this has all the usual problems of bundling, the
> exposure isn't quite as horrific as it might first seem.)

I'd strongly favor having proper packages for LibreSSL. I'd happily
switch tinc over to depending on them instead of on OpenSSL packages.

>  * Take Kurt's patch to switch to the 1.1 API.  Fedora have done this.
>    I'm extremely reluctant to do this because it's a >3000-line patch
>    touching most of OpenSSH's cryptographic internals, which is bound to
>    produce lots of difficult conflicts on pretty much every new upstream
>    release.

If it was only needed temporarily until OpenSSH implemented OpenSSL 1.1
compatibility, I'd say fine, but if that's not going to happen, then I'd
avoid going down this road.

>  * Switch to PKIX-SSH, an OpenSSH fork with 1.1 support.  This fork adds
>    new features, making it a one-way transition.  With all due respect,
>    as far as I can tell it's a one-person fork with very limited uptake
>    compared to OpenSSH, and I don't think it would be wise to switch
>    Debian over to it.

I agree.

>  * Start a team to maintain an OpenSSL 1.1 compatibility layer myself.
>    Ingo Schwarze persuaded me on openssl-unix-dev that this was a bad
>    idea.  I would be happy if the OpenSSL developers carried this
>    forward as a proper project rather than just as an unversioned
>    tarball dump, but I'm not in a position to tell them what to do.

That sounds just as bad as maintaining a patch for OpenSSH to support
OpenSSL 1.1.

> Out of all of these, I think the option that I think has the fewest
> downsides overall is to convince people to package LibreSSL, but I'm not
> myself in a position to contribute to that effort.
> Does anyone have thoughts or other options, or want to help?

Since I'd be a user of it I'd be willing to help.

Met vriendelijke groet / with kind regards,
      Guus Sliepen <guus@debian.org>

Attachment: signature.asc
Description: PGP signature

Reply to: