Re: [gentoo-dev] [RFC] Discontinuing LibreSSL support?

["Michał Górny" <mgorny@gentoo.org>]

On Mon, 2020-12-28 at 13:59 -0500, Anthony G. Basile wrote:
> On 12/28/20 3:56 AM, Michał Górny wrote:
> > Hello, developers and Gentoo LibreSSL team.
> > 
> > TL;DR: is there really a point in continuing the never-ending
> > always-
> > regressing struggle towards supporting LibreSSL in Gentoo?
> > 
> > 
> > I would like to discuss the possibility of discontinuing LibreSSL
> > support in Gentoo in favor of sticking with OpenSSL.  Similarly how
> > we
> > ended up deciding that fighting for libav was unpractical and the
> > vast
> > majority of users are using ffmpeg (because they didn't really have
> > a choice), today it seems that LibreSSL is suffering the same fate.
> > 
> > LibreSSL users, does LibreSSL today have any benefit over OpenSSL?
> > To be honest, I don't think so.  In 2014, it might have represented
> > a new quality.  But today, OpenSSL is alive and kicking, and
> > LibreSSL
> > finds it hard to keep up.
> > 
> > The vast majority of software is not tested against LibreSSL. 
> > While
> > patches are usually trivial and we have people that submit them,
> > I find many of them short-sighted.  Just look at [1].  Sure, it
> > fixes
> > the build today but it disabled the feature for all foreseeable
> > future.
> > How likely is it that somebody will submit another patch reenabling
> > it
> > with a future LibreSSL version?
> > 
> > While normally I strongly prefer submitting such patches upstream,
> > that
> > makes things even worse.  I mean, I wouldn't be surprised if there
> > were
> > dozens of packages today that are crippled with LibreSSL just
> > because
> > somebody fixed the build in the past and never revisited the
> > problem.
> > 
> > This somewhat resembles running in circles.  Packages kept being
> > broken
> > with LibreSSL because rarely anyone is using it.  And rarely anyone
> > is
> > using LibreSSL because the apparent benefit (or lack thereof) does
> > not
> > justify the constant breakage (plus invisible regressions).
> > 
> > All this considered, provided that nobody is able to find a good
> > reason
> > to use LibreSSL, I would like to propose that we stop patching
> > packages, discontinue support for it and last rite it.
> > 
> > 
> > [1] https://761981.bugs.gentoo.org/attachment.cgi?id=679892
> > 
> 
> I'm the current project lead.  I inherited it back in the day from
> hasufel.  It originally had promise of being better than openssl with
> 100% compatibility.  I hung on because I trusted that team but it has
> become more of a hassle than its worth.  I am in favor of removing
> it.
> If we decide to do so, how should we proceed?

I think the usual plan for this kind of thing is to:

1. Issue a news item with the planned cutoff date, and suggest people
that they can set USE=-libressl to switch earlier.

2. At the cutoff date, use.mask libressl flag.

3. package.mask libressl itself to give people a clear message.


I might be wrong but I think the update should proceed cleanly with
--changed-use/--newuse.  The PM will trigger the rebuilds,
and preserved-libs should take care of keeping libressl libs for
as long as necessary (yeah, I know relying on preserved-libs sucks).

The only problem that I can think of are packages that depend
on libressl specifically and do not support openssl.  I don't think we
have anything like that but I'll double check.

-- 
Best regards,
Michał Górny