On Tue, Oct 17, 2017 at 12:05:30AM +0200, Guus Sliepen wrote:
despite fears of OpenBSD only caring about themselves, I have found that it is easier to compile LibreSSL for various platforms (even non-POSIX ones) than OpenSSL. And that APIs might be broken more easily by LibreSSL is ridiculous, as it is OpenSSL iself that has changed its API in a non-backwards compatible way that is now causing this discussion.
It is not ridiculous to point out that LibreSSL is released every six months and supported for one year after release, while OpenSSL is supported for at least 2 years, and 5 years for LTS releases. It's not unrealistic to think that a Debian stable could release with a LibreSSL that's already unsupported upstream. It is also not ridiculous to point out that a number of distributions have an interest in long term maintenance of released versions of OpenSSL, while there is no such community around LibreSSL.
You are correct, though, that the OpenSSL and LibreSSL code bases will continue to diverge, from both directions. I think that's the biggest impediment to creating an OpenSSL 1.0 compatability layer for OpenSSH--over time, neither OpenSSL nor LibreSSL have any interest in confining themselves to that API, and it's clear that OpenSSH will track LibreSSL's API rather than the old OpenSSL API in the long term.
As I continue to think about it, it may actually end up being better to embed a constrained subset of LibreSSL in OpenSSH than worry about either maintaining the entire LibreSSL package over a period of years, or fork.
Mike Stone