Re: [gentoo-dev] [RFC] Discontinuing LibreSSL support?

["Michał Górny" <mgorny@gentoo.org>]

On Mon, 2020-12-28 at 22:00 +0000, Peter Stuge wrote:
> Michał Górny wrote:
> > I would like to discuss the possibility of discontinuing LibreSSL
> > support in Gentoo in favor of sticking with OpenSSL.
> 
> I think that's a horrible idea, since Gentoo is about choice and this
> particular component is one of the most important in a system.
> 
> But "support" can mean different things...
> 
> 
> > LibreSSL users, does LibreSSL today have any benefit over OpenSSL?
> 
> Yes, at least two:
> 
> A. It is a distinct implementation with probably /quite some/ stable
> compatibility, meaning that it will work perfectly fine as an
> alternative in many cases.

Except that it doesn't, as has been proven numerous times.

> 
> B. It brings its own TLS API, a unique feature which by itself
> warrants
> the package.

...which by itself has no future and only means some people will create
less portable applications and then regret it.

> 
> 
> > All this considered, provided that nobody is able to find a good
> > reason
> > to use LibreSSL, I would like to propose that we stop patching
> > packages, discontinue support for it and last rite it.
> 
> There is no reason at all to do all three of those atomically:
> 
> 1. Stop patching packages to make them build also against libressl
> 2. Stop maintaining libressl-*.ebuild
> 3. package.mask
> 
> I think the complaint is really only about 1. and I can understand
> that the effort here outweighs the perceived benefit, that's fine,
> I don't think it's the responsibility of Gentoo developers to patch
> the world to build also against libressl.
> 
> But as long as a single package can be built with either openssl or
> libressl without changes I consider it appropriate to maintain both
> libressl ebuilds and either virtual/openssl or another way to decide
> system-wide to use libressl instead of openssl. This remains very
> valuable especially for non-releng stages.
> 
> More elaborate OpenSSL API users can (arguably should) just block on
> libressl instead of requiring patch work.

It's all nice theory but in practice it means that nobody will be able
to install libressl because some important system packages will block
it.  So we'd effectively waste our users' time pretending that we do
support LibreSSL, while anyone actually trying it will hit a brick
wall.

This sounds like the argument 'let's not remove broken packages, people
can read the 5 page forum thread on how to get them to work,
somewhat!'.

-- 
Best regards,
Michał Górny