From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id BCBAB1382C5 for ; Tue, 29 Dec 2020 18:24:35 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 1E3912BC0B3; Tue, 29 Dec 2020 18:24:33 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D3857E0C97 for ; Tue, 29 Dec 2020 18:24:32 +0000 (UTC) From: "Andreas K. Huettel" To: gentoo-dev@lists.gentoo.org Cc: Peter Stuge Subject: Re: [gentoo-dev] [RFC] Discontinuing LibreSSL support? Date: Tue, 29 Dec 2020 17:02:40 +0200 Message-ID: <3335236.dWV9SEqChM@noumea> Organization: Gentoo Linux In-Reply-To: <20201229112935.32397.qmail@stuge.se> References: <5ea24603ce550d4580f8e41fbf6700dd2959b67e.camel@gentoo.org> <20201229112935.32397.qmail@stuge.se> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1" X-Archives-Salt: 5331c333-5410-4dc8-85ae-64a88c93401b X-Archives-Hash: 2a2a3f4f86acde1f8123953e0a50bbe0 Am Dienstag, 29. Dezember 2020, 13:29:35 EET schrieb Peter Stuge: > I agree completely that it's unreasonable for Gentoo (worse, 1 person!) > to continuosly patch the entire world for libressel. >=20 > I'm asking to stop doing that, yet still enable the choice between > openssl and libressl where that is possible without patches, even > if that's only openntpd and one other package. a) The two cannot be installed concurrently. To fix that would require even= =20 more hacks.=20 =2D> all relevant ssl consumers on the user's system must be linked against= the=20 one selected b) The libraries are not guaranteed to be binary compatible, so switching=20 implementation requires rebuilding consumers. Especially since this is a=20 security-sensitive package. =2D> all relevant ssl consumers on the user's system must be *built* agains= t the=20 one selected Which leads us to=20 c) If a single package that the user wants to install is not "fixed" for on= e=20 ssl library, it blocks that option for all packages. =2D> horrible (but real and justified) emerge blockers and general hilarity= ensue I guess if you can come up with a solution that * provides secure usage of the libraries, * provides choice to the user, and * doesn't lead to unupgradeable systems or unresolvable dependencies we'd all be happier. So far we haven't found one. =2D-=20 Andreas K. H=FCttel dilfridge@gentoo.org Gentoo Linux developer=20 (council, qa, toolchain, base-system, perl, libreoffice)