On Mon, Oct 16, 2017 at 10:21:10PM -0400, Michael Stone wrote:
> On Tue, Oct 17, 2017 at 12:05:30AM +0200, Guus Sliepen wrote:
> > despite fears of OpenBSD only caring about themselves, I have found that
> > it is easier to compile LibreSSL for various platforms (even non-POSIX
> > ones) than OpenSSL. And that APIs might be broken more easily by LibreSSL
> > is ridiculous, as it is OpenSSL iself that has changed its API in a
> > non-backwards compatible way that is now causing this discussion.
>
> It is not ridiculous to point out that LibreSSL is released every six months
> and supported for one year after release, while OpenSSL is supported for at
> least 2 years, and 5 years for LTS releases.
That is certainly not ridiculous. But, I had a look at the release plan
for OpenSSL at https://www.openssl.org/policies/releasestrat.html, and
it seems there only is one LTS release, namely 1.0.2, which will be
supported until the very end of 2019. 1.1.0 is only supported until
September 2018. In that context it is strange that we switched to 1.1.0
in stretch already. Let's hope there is an LTS for 1.1.x in time for
buster.
> It's not unrealistic to think
> that a Debian stable could release with a LibreSSL that's already
> unsupported upstream. It is also not ridiculous to point out that a number
> of distributions have an interest in long term maintenance of released
> versions of OpenSSL, while there is no such community around LibreSSL.
Maybe not currently for Debian or Fedora derivatives, but some
distributions (Alpine, OpenELEC amongst others) have switched to
LibreSSL as the default, and some (Gentoo, unsurprisingly) have it as an
option.
I see two main forces determining which fork of a library will be used:
either distributions themselves will choose based on technical and other
merits, or important applications will favor one of the forks, forcing
the decision for distributions. OpenSSH is now applying some force, I
have no idea what programs are out there that can only work with
OpenSSL. I assume those that moved to OpenSSL 1.1 and ditched OpenSSL
1.0 compatibility, but I wonder how many there are.
It would be interesting to recompile all packages that Build-Depend:
libssl-dev with LibreSSL, and see what actually breaks...
> As I continue to think about it, it may actually end up being better to
> embed a constrained subset of LibreSSL in OpenSSH than worry about either
> maintaining the entire LibreSSL package over a period of years, or fork.
I don't see why it couldn't be in its own package even if OpenSSH was
the only user. It doesn't change the maintenance burden.
--
Met vriendelijke groet / with kind regards,
Guus Sliepen <guus@debian.org>
Attachment:
signature.asc
Description: PGP signature