Bug#754513: RFP: libressl -- SSL library, forked from OpenSSL
On Tue, Oct 17, 2017 at 12:05:30AM +0200, Guus Sliepen wrote:
despite fears of OpenBSD only caring about themselves, I have found that
it is easier to compile LibreSSL for various platforms (even non-POSIX
ones) than OpenSSL. And that APIs might be broken more easily by LibreSSL
is ridiculous, as it is OpenSSL iself that has changed its API in a
non-backwards compatible way that is now causing this discussion.
It is not ridiculous to point out that LibreSSL is released every six
months and supported for one year after release, while OpenSSL is
supported for at least 2 years, and 5 years for LTS releases. It's not
unrealistic to think that a Debian stable could release with a LibreSSL
that's already unsupported upstream. It is also not ridiculous to point
out that a number of distributions have an interest in long term
maintenance of released versions of OpenSSL, while there is no such
community around LibreSSL.
You are correct, though, that the OpenSSL and LibreSSL code bases will
continue to diverge, from both directions. I think that's the biggest
impediment to creating an OpenSSL 1.0 compatability layer for
OpenSSH--over time, neither OpenSSL nor LibreSSL have any interest in
confining themselves to that API, and it's clear that OpenSSH will track
LibreSSL's API rather than the old OpenSSL API in the long term.
As I continue to think about it, it may actually end up being better to
embed a constrained subset of LibreSSL in OpenSSH than worry about
either maintaining the entire LibreSSL package over a period of years,