On Mon, Oct 16, 2017 at 10:21:10PM -0400, Michael Stone wrote:
On Tue, Oct 17, 2017 at 12:05:30AM +0200, Guus Sliepen wrote:
> despite fears of OpenBSD only caring about themselves, I have found that
> it is easier to compile LibreSSL for various platforms (even non-POSIX
> ones) than OpenSSL. And that APIs might be broken more easily by LibreSSL
> is ridiculous, as it is OpenSSL iself that has changed its API in a
> non-backwards compatible way that is now causing this discussion.
It is not ridiculous to point out that LibreSSL is released every six months
and supported for one year after release, while OpenSSL is supported for at
least 2 years, and 5 years for LTS releases.
That is certainly not ridiculous. But, I had a look at the release plan
for OpenSSL at https://www.openssl.org/policies/releasestrat.html, and
it seems there only is one LTS release, namely 1.0.2, which will be
supported until the very end of 2019. 1.1.0 is only supported until
September 2018. In that context it is strange that we switched to 1.1.0
in stretch already. Let's hope there is an LTS for 1.1.x in time for
buster.
It's not unrealistic to think
that a Debian stable could release with a LibreSSL that's already
unsupported upstream. It is also not ridiculous to point out that a number
of distributions have an interest in long term maintenance of released
versions of OpenSSL, while there is no such community around LibreSSL.
Maybe not currently for Debian or Fedora derivatives, but some
distributions (Alpine, OpenELEC amongst others) have switched to
LibreSSL as the default, and some (Gentoo, unsurprisingly) have it as an
option.