Re: [gentoo-dev] [News review v2] LibreSSL support discontinued

[Oliver Smeeton <oliversmeeton2019@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 4201 bytes --]

You may want to update the Project:LibreSSL
<https://wiki.gentoo.org/wiki/Project:LibreSSL> page to reflect the
decision to drop support for libressl, also you could add a news item to
the libressl package with instructions or a link to instructions for
migrating back to Openssl.

On Mon, 4 Jan 2021 at 09:22, Michał Górny <mgorny@gentoo.org> wrote:

> v2, with additional 'emerge --deselect':
> ---
> Title: LibreSSL support discontinued
> Author: Michał Górny <mgorny@gentoo.org>
> Posted: 202x-xx-xx
> Revision: 1
> News-Item-Format: 2.0
> Display-If-Installed: dev-libs/libressl
>
> Starting 2021-02-01, Gentoo will no longer actively pursue supporting
> dev-libs/libressl as an alternative to dev-libs/openssl.  While it will
> still be possible for expert users to use LibreSSL on their systems,
> we are only going to provide support for OpenSSL-based systems.  Most
> importantly, we are no longer going to maintain downstream patches for
> LibreSSL support -- it will rely on either package upstreams merging
> such patches themselves, or LibreSSL upstream finally working towards
> better OpenSSL compatibility.
>
> On 2021-02-01, we will mask the relevant USE flags and packages.  If
> you
> wish to continue using LibreSSL, you will be able to undo these masks
> for the time being.  However, as packages drop patching for LibreSSL
> and the library is eventually removed from ::gentoo, it will become
> necessary to use the user-maintained LibreSSL overlay [1].  As long-
> term
> support for LibreSSL is not guaranteed, we recommend switching
> to OpenSSL instead.  More information on removal can be found
> on the relevant bug [2].
>
> To switch before the aforementioned date, remove 'libressl' from your
> USE flags and CURL_SSL targets.  Afterwards, it is recommended to
> prefetch all the necessary distfiles before proceeding with the system
> upgrade, in case wget(1) becomes broken in the process:
>
>     emerge --fetchonly dev-libs/openssl net-misc/wget
>     emerge --fetchonly --changed-use @world
>
> A --changed-use @world upgrade should automatically cause LibreSSL
> to be replaced by OpenSSL, and all affected packages to be rebuilt:
>
>     emerge --deselect dev-libs/libressl
>     emerge --changed-use @world
>
>
> LibreSSL has been forked off OpenSSL in 2014 to address a number of
> problems with the original package.  However, since then OpenSSL
> development gained speed and the original reasons for the fork no
> longer
> apply.  Furthermore, LibreSSL started to repeatedly fall behind
> and cause growing compatibility problems.  While initially these
> problems were related to packages using old/insecure OpenSSL APIs,
> today
> they are mostly related to LibreSSL missing newer OpenSSL APIs
> (yet declaring false compatibility with newer OpenSSL versions).
>
> With the little testing it gets, our developers and users had to put
> a significant effort into fixing upstream packages.  In some cases
> (e.g. Qt), upstream has explicitly refused to support LibreSSL, forcing
> us to maintain the patches forever.  This in turn means that
> security fixes, regular version bumps or end-user system upgrades are
> often delayed because of necessary LibreSSL patching.  What is even
> worse, major runtime issues managed to sneak in that broke production
> systems running LibreSSL in the past.
>
> To the best of our knowledge, the only benefit LibreSSL has over
> OpenSSL
> right now is the additional libtls library.  For this reason, we have
> packaged dev-libs/libretls which is a port of this library that links
> to OpenSSL.
>
> All these issued considered, we came to the conclusion that OpenSSL
> should remain the only supported production option for Gentoo systems.
> While the flexibility of Gentoo should make it possible to keep using
> LibreSSL going forward, the effort necessary to provide first-class
> official support for LibreSSL has proven to outweigh the benefit.
>
> [1] https://gitweb.gentoo.org/repo/proj/libressl.git/tree/README.md
> [2] https://bugs.gentoo.org/762847
> ---
>
>
>
>
> --
> Best regards,
> Michał Górny
>
>
>
>

[-- Attachment #2: Type: text/html, Size: 4969 bytes --]