[gentoo-dev] [News review] LibreSSL support discontinued

[gentoo-dev] [News review] LibreSSL support discontinued

[Michał Górny]

Hello,

Please review the news item inlined below.  This is based on what
I discussed with blueness (LibreSSL team lead).  The news item is kinda
long-ish because I wanted to include the full rationale since I believe
our users will find it desirable to know it.

If it's ok, I'd like to push it soonish.  This will give people around
4 weeks to prepare and/or migrate their systems manually before being
hit by the masks.  Afterwards, we'll mask libressl with a prolonged
removal date.  I'm thinking of 3 months since I suspect that our
packages will start strongly requiring OpenSSL by then.

I'm mentioning the LibreSSL overlay since one of our users is
interested in maintaining it.  It will probably be the best alternative
for users who want to continue fighting the lost cause without causing
major problems for Gentoo mainline.


---
Title: LibreSSL support discontinued
Author: Michał Górny <mgorny@gentoo.org>
Posted: 202x-xx-xx
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: dev-libs/libressl

Starting 2021-02-01, Gentoo will no longer actively pursue supporting
dev-libs/libressl as an alternative to dev-libs/openssl.  While it will
still be possible for expert users to use LibreSSL on their systems,
we are only going to provide support for OpenSSL-based systems.  Most
importantly, we are no longer going to maintain downstream patches for
LibreSSL support -- it will rely on either package upstreams merging
such patches themselves, or LibreSSL upstream finally working towards
better OpenSSL compatibility.

On 2021-02-01, we will mask the relevant USE flags and packages.  If you
wish to continue using LibreSSL, you will be able to undo these masks
for the time being.  However, as packages drop patching for LibreSSL
and the library is eventually removed from ::gentoo, it will become
necessary to use the user-maintained LibreSSL overlay [1].  As long-term
support for LibreSSL is not guaranteed, we recommend switching
to OpenSSL instead.  The more information on removal can be found
on the relevant bug [2].

To switch before the aforementioned date, remove 'libressl' from your
USE flags and CURL_SSL targets.  Afterwards, it is recommended to
prefetch all the necessary distfiles before proceeding with the system
upgrade, in case wget(1) becomes broken in the process:

    emerge --fetchonly dev-libs/openssl net-misc/wget
    emerge --fetchonly --changed-use @world

A --changed-use @world upgrade should automatically cause LibreSSL
to be replaced by OpenSSL, and all affected packages to be rebuilt:

    emerge --changed-use @world


LibreSSL has been forked off OpenSSL in 2014 to address a number of
problems with the original package.  However, since then OpenSSL
development gained speed and the original reasons for the fork no longer
apply.  Furthermore, LibreSSL started to repeatedly fall behind
and cause growing compatibility problems.  While initially these
problems were related to packages using old/insecure OpenSSL APIs, today
they are mostly related to LibreSSL missing newer OpenSSL APIs
(yet declaring false compatibility with newer OpenSSL versions).

With the little testing it gets, our developers and users had to put
a significant effort into fixing upstream packages.  In some cases
(e.g. Qt), the upstream has explicitly refused to support LibreSSL,
requiring us to maintain the patches forever.  This in turn means that
security fixes, regular version bumps or end-user system upgrades are
often delayed because of necessary LibreSSL patching.  What is even
worse, major runtime issues managed to sneak in that broke production
systems running LibreSSL in the past.

To the best of our knowledge, the only benefit LibreSSL has over OpenSSL
right now is the additional libtls library.  For this reason, we have
packaged dev-libs/libretls which is a port of this library that links
to OpenSSL.

All these issued considered, we came to the conclusion that OpenSSL
should remain the only supported production option for Gentoo systems.
While the flexibility of Gentoo should make it possible to keep using
LibreSSL going forward, the effort necessary to provide a first-class
official support for LibreSSL has proven to outweigh the benefit.

[1] https://gitweb.gentoo.org/repo/proj/libressl.git/tree/README.md
[2] https://bugs.gentoo.org/762847
---


-- 
Best regards,
Michał Górny

Re: [gentoo-dev] [News review] LibreSSL support discontinued

[Stefan Strogin]

Hello Michal,

On Sun, Jan 03, 2021 at 09:47:31PM +0100, Michał Górny wrote:
> Hello,
> (...)
> To switch before the aforementioned date, remove 'libressl' from your
> USE flags and CURL_SSL targets.  Afterwards, it is recommended to
> prefetch all the necessary distfiles before proceeding with the system
> upgrade, in case wget(1) becomes broken in the process:
> 
>     emerge --fetchonly dev-libs/openssl net-misc/wget
>     emerge --fetchonly --changed-use @world
> 
> A --changed-use @world upgrade should automatically cause LibreSSL
> to be replaced by OpenSSL, and all affected packages to be rebuilt:
> 
>     emerge --changed-use @world
> 

Doesn't work for me. Emerge prints:

```
[blocks B      ] dev-libs/openssl:0 ("dev-libs/openssl:0" is blocking
dev-libs/libressl-3.3.1)

Total: 37 packages (1 new, 36 reinstalls), Size of downloads: 0 KiB
Conflict: 1 block (1 unsatisfied)
(...)
```

I think you have to remove libressl first, like `emerge -C libressl`,
then install openssl like `emerge -1 openssl`, then rebuild
dependencies. As described here but in opposite way:
https://wiki.gentoo.org/wiki/Project:LibreSSL

Re: [gentoo-dev] [News review] LibreSSL support discontinued

[Marek Szuba]

On January 4, 2021 8:25:21 AM UTC, Stefan Strogin <steils@gentoo.org> wrote:

>Doesn't work for me.

Have you got libressl in your world file, perchance?

-- 
Marecki

Re: [gentoo-dev] [News review] LibreSSL support discontinued

[Michał Górny]

On Mon, 2021-01-04 at 09:18 +0000, Marek Szuba wrote:
> 
> On January 4, 2021 8:25:21 AM UTC, Stefan Strogin <steils@gentoo.org> wrote:
> 
> > Doesn't work for me.
> 
> Have you got libressl in your world file, perchance?
> 

Yeah, I guess we need --deselect too.

-- 
Best regards,
Michał Górny

[gentoo-dev] [News review v2] LibreSSL support discontinued

[Michał Górny]

v2, with additional 'emerge --deselect':
---
Title: LibreSSL support discontinued
Author: Michał Górny <mgorny@gentoo.org>
Posted: 202x-xx-xx
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: dev-libs/libressl

Starting 2021-02-01, Gentoo will no longer actively pursue supporting
dev-libs/libressl as an alternative to dev-libs/openssl.  While it will
still be possible for expert users to use LibreSSL on their systems,
we are only going to provide support for OpenSSL-based systems.  Most
importantly, we are no longer going to maintain downstream patches for
LibreSSL support -- it will rely on either package upstreams merging
such patches themselves, or LibreSSL upstream finally working towards
better OpenSSL compatibility.

On 2021-02-01, we will mask the relevant USE flags and packages.  If
you
wish to continue using LibreSSL, you will be able to undo these masks
for the time being.  However, as packages drop patching for LibreSSL
and the library is eventually removed from ::gentoo, it will become
necessary to use the user-maintained LibreSSL overlay [1].  As long-
term
support for LibreSSL is not guaranteed, we recommend switching
to OpenSSL instead.  More information on removal can be found
on the relevant bug [2].

To switch before the aforementioned date, remove 'libressl' from your
USE flags and CURL_SSL targets.  Afterwards, it is recommended to
prefetch all the necessary distfiles before proceeding with the system
upgrade, in case wget(1) becomes broken in the process:

    emerge --fetchonly dev-libs/openssl net-misc/wget
    emerge --fetchonly --changed-use @world

A --changed-use @world upgrade should automatically cause LibreSSL
to be replaced by OpenSSL, and all affected packages to be rebuilt:

    emerge --deselect dev-libs/libressl
    emerge --changed-use @world


LibreSSL has been forked off OpenSSL in 2014 to address a number of
problems with the original package.  However, since then OpenSSL
development gained speed and the original reasons for the fork no
longer
apply.  Furthermore, LibreSSL started to repeatedly fall behind
and cause growing compatibility problems.  While initially these
problems were related to packages using old/insecure OpenSSL APIs,
today
they are mostly related to LibreSSL missing newer OpenSSL APIs
(yet declaring false compatibility with newer OpenSSL versions).

With the little testing it gets, our developers and users had to put
a significant effort into fixing upstream packages.  In some cases
(e.g. Qt), upstream has explicitly refused to support LibreSSL, forcing
us to maintain the patches forever.  This in turn means that
security fixes, regular version bumps or end-user system upgrades are
often delayed because of necessary LibreSSL patching.  What is even
worse, major runtime issues managed to sneak in that broke production
systems running LibreSSL in the past.

To the best of our knowledge, the only benefit LibreSSL has over
OpenSSL
right now is the additional libtls library.  For this reason, we have
packaged dev-libs/libretls which is a port of this library that links
to OpenSSL.

All these issued considered, we came to the conclusion that OpenSSL
should remain the only supported production option for Gentoo systems.
While the flexibility of Gentoo should make it possible to keep using
LibreSSL going forward, the effort necessary to provide first-class
official support for LibreSSL has proven to outweigh the benefit.

[1] https://gitweb.gentoo.org/repo/proj/libressl.git/tree/README.md
[2] https://bugs.gentoo.org/762847
---




-- 
Best regards,
Michał Górny

Re: [gentoo-dev] [News review v2] LibreSSL support discontinued

[Oliver Smeeton]

[-- Attachment #1: Type: text/plain, Size: 4201 bytes --]

You may want to update the Project:LibreSSL
<https://wiki.gentoo.org/wiki/Project:LibreSSL> page to reflect the
decision to drop support for libressl, also you could add a news item to
the libressl package with instructions or a link to instructions for
migrating back to Openssl.

On Mon, 4 Jan 2021 at 09:22, Michał Górny <mgorny@gentoo.org> wrote:

> v2, with additional 'emerge --deselect':
> ---
> Title: LibreSSL support discontinued
> Author: Michał Górny <mgorny@gentoo.org>
> Posted: 202x-xx-xx
> Revision: 1
> News-Item-Format: 2.0
> Display-If-Installed: dev-libs/libressl
>
> Starting 2021-02-01, Gentoo will no longer actively pursue supporting
> dev-libs/libressl as an alternative to dev-libs/openssl.  While it will
> still be possible for expert users to use LibreSSL on their systems,
> we are only going to provide support for OpenSSL-based systems.  Most
> importantly, we are no longer going to maintain downstream patches for
> LibreSSL support -- it will rely on either package upstreams merging
> such patches themselves, or LibreSSL upstream finally working towards
> better OpenSSL compatibility.
>
> On 2021-02-01, we will mask the relevant USE flags and packages.  If
> you
> wish to continue using LibreSSL, you will be able to undo these masks
> for the time being.  However, as packages drop patching for LibreSSL
> and the library is eventually removed from ::gentoo, it will become
> necessary to use the user-maintained LibreSSL overlay [1].  As long-
> term
> support for LibreSSL is not guaranteed, we recommend switching
> to OpenSSL instead.  More information on removal can be found
> on the relevant bug [2].
>
> To switch before the aforementioned date, remove 'libressl' from your
> USE flags and CURL_SSL targets.  Afterwards, it is recommended to
> prefetch all the necessary distfiles before proceeding with the system
> upgrade, in case wget(1) becomes broken in the process:
>
>     emerge --fetchonly dev-libs/openssl net-misc/wget
>     emerge --fetchonly --changed-use @world
>
> A --changed-use @world upgrade should automatically cause LibreSSL
> to be replaced by OpenSSL, and all affected packages to be rebuilt:
>
>     emerge --deselect dev-libs/libressl
>     emerge --changed-use @world
>
>
> LibreSSL has been forked off OpenSSL in 2014 to address a number of
> problems with the original package.  However, since then OpenSSL
> development gained speed and the original reasons for the fork no
> longer
> apply.  Furthermore, LibreSSL started to repeatedly fall behind
> and cause growing compatibility problems.  While initially these
> problems were related to packages using old/insecure OpenSSL APIs,
> today
> they are mostly related to LibreSSL missing newer OpenSSL APIs
> (yet declaring false compatibility with newer OpenSSL versions).
>
> With the little testing it gets, our developers and users had to put
> a significant effort into fixing upstream packages.  In some cases
> (e.g. Qt), upstream has explicitly refused to support LibreSSL, forcing
> us to maintain the patches forever.  This in turn means that
> security fixes, regular version bumps or end-user system upgrades are
> often delayed because of necessary LibreSSL patching.  What is even
> worse, major runtime issues managed to sneak in that broke production
> systems running LibreSSL in the past.
>
> To the best of our knowledge, the only benefit LibreSSL has over
> OpenSSL
> right now is the additional libtls library.  For this reason, we have
> packaged dev-libs/libretls which is a port of this library that links
> to OpenSSL.
>
> All these issued considered, we came to the conclusion that OpenSSL
> should remain the only supported production option for Gentoo systems.
> While the flexibility of Gentoo should make it possible to keep using
> LibreSSL going forward, the effort necessary to provide first-class
> official support for LibreSSL has proven to outweigh the benefit.
>
> [1] https://gitweb.gentoo.org/repo/proj/libressl.git/tree/README.md
> [2] https://bugs.gentoo.org/762847
> ---
>
>
>
>
> --
> Best regards,
> Michał Górny
>
>
>
>

[-- Attachment #2: Type: text/html, Size: 4969 bytes --]

Re: [gentoo-dev] [News review v2] LibreSSL support discontinued

[Toralf Förster]

[-- Attachment #1.1: Type: text/plain, Size: 294 bytes --]

On 1/4/21 2:39 PM, Oliver Smeeton wrote:
> You may want to update the Project:LibreSSL 
> <https://wiki.gentoo.org/wiki/Project:LibreSSL> page to reflect the 
> decision to drop support for libressl,
IMO this is up to the project members only, or ?

-- 
Toralf
PGP 23217DA7 9B888F45


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 495 bytes --]

Re: [gentoo-dev] [News review v2] LibreSSL support discontinued

[Oliver Smeeton]

[-- Attachment #1: Type: text/plain, Size: 451 bytes --]

OK my mistake I'll send my suggestion to libressl@gentoo.org

On Mon, 4 Jan 2021 at 13:47, Toralf Förster <toralf@gentoo.org> wrote:

> On 1/4/21 2:39 PM, Oliver Smeeton wrote:
> > You may want to update the Project:LibreSSL
> > <https://wiki.gentoo.org/wiki/Project:LibreSSL> page to reflect the
> > decision to drop support for libressl,
> IMO this is up to the project members only, or ?
>
> --
> Toralf
> PGP 23217DA7 9B888F45
>
>

[-- Attachment #2: Type: text/html, Size: 914 bytes --]

Re: [gentoo-dev] [News review v2] LibreSSL support discontinued

[Aaron Bauman]

[-- Attachment #1: Type: text/plain, Size: 437 bytes --]

On Mon, Jan 04, 2021 at 10:21:58AM +0100, Michał Górny wrote:
> v2, with additional 'emerge --deselect':
> ---
> Title: LibreSSL support discontinued
> Author: Michał Górny <mgorny@gentoo.org>
> Posted: 202x-xx-xx
> Revision: 1
> News-Item-Format: 2.0
> Display-If-Installed: dev-libs/libressl
> 
> Starting 2021-02-01, Gentoo will no longer actively pursue supporting

s/no longer actively pursue/discontinue

-Aaron

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

Re: [gentoo-dev] [News review v2] LibreSSL support discontinued

[Michał Górny]

On Mon, 2021-01-04 at 09:24 -0500, Aaron Bauman wrote:
> On Mon, Jan 04, 2021 at 10:21:58AM +0100, Michał Górny wrote:
> > v2, with additional 'emerge --deselect':
> > ---
> > Title: LibreSSL support discontinued
> > Author: Michał Górny <mgorny@gentoo.org>
> > Posted: 202x-xx-xx
> > Revision: 1
> > News-Item-Format: 2.0
> > Display-If-Installed: dev-libs/libressl
> > 
> > Starting 2021-02-01, Gentoo will no longer actively pursue supporting
> 
> s/no longer actively pursue/discontinue

Applied locally.  I'll resend if there are bigger changes.

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] [News review] LibreSSL support discontinued

[Marc Schiffbauer]

[-- Attachment #1: Type: text/plain, Size: 173 bytes --]

Just a typo...

* Michał Górny schrieb am 03.01.21 um 21:47 Uhr:
> All these issued considered, we came to the conclusion that OpenSSL

s/issued/issues/

right?


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-dev] [News review] LibreSSL support discontinued

[Michał Górny]

On Mon, 2021-01-04 at 15:40 +0100, Marc Schiffbauer wrote:
> Just a typo...
> 
> * Michał Górny schrieb am 03.01.21 um 21:47 Uhr:
> > All these issued considered, we came to the conclusion that OpenSSL
> 
> s/issued/issues/
> 
> right?
> 

Thanks, done.

-- 
Best regards,
Michał Górny

[gentoo-dev] [News review v3] LibreSSL support discontinued

[Michał Górny]

The third version follows, with requested text changes and '--deep'
option added to rebuilds.

---
Title: LibreSSL support discontinued
Author: Michał Górny <mgorny@gentoo.org>
Posted: 202x-xx-xx
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: dev-libs/libressl

Starting 2021-02-01, Gentoo will discontinue supporting
dev-libs/libressl as an alternative to dev-libs/openssl.  While it will
still be possible for expert users to use LibreSSL on their systems,
we are only going to provide support for OpenSSL-based systems.  Most
importantly, we are no longer going to maintain downstream patches for
LibreSSL support -- it will rely on either package upstreams merging
such patches themselves, or LibreSSL upstream finally working towards
better OpenSSL compatibility.

On 2021-02-01, we will mask the relevant USE flags and packages.  If
you
wish to continue using LibreSSL, you will be able to undo these masks
for the time being.  However, as packages drop patching for LibreSSL
and the library is eventually removed from ::gentoo, it will become
necessary to use the user-maintained LibreSSL overlay [1].  As long-
term
support for LibreSSL is not guaranteed, we recommend switching
to OpenSSL instead.  More information on removal can be found
on the relevant bug [2].

To switch before the aforementioned date, remove 'libressl' from your
USE flags and CURL_SSL targets.  Afterwards, it is recommended to
prefetch all the necessary distfiles before proceeding with the system
upgrade, in case wget(1) becomes broken in the process:

    emerge --fetchonly dev-libs/openssl net-misc/wget
    emerge --fetchonly --deep --changed-use @world

A --changed-use @world upgrade should automatically cause LibreSSL
to be replaced by OpenSSL, and all affected packages to be rebuilt:

    emerge --deselect dev-libs/libressl
    emerge --changed-use --deep @world


LibreSSL has been forked off OpenSSL in 2014 to address a number of
problems with the original package.  However, since then OpenSSL
development gained speed and the original reasons for the fork no
longer
apply.  Furthermore, LibreSSL started to repeatedly fall behind
and cause growing compatibility problems.  While initially these
problems were related to packages using old/insecure OpenSSL APIs,
today
they are mostly related to LibreSSL missing newer OpenSSL APIs
(yet declaring false compatibility with newer OpenSSL versions).

With the little testing it gets, our developers and users had to put
a significant effort into fixing upstream packages.  In some cases
(e.g. Qt), upstream has explicitly refused to support LibreSSL, forcing
us to maintain the patches forever.  This in turn means that
security fixes, regular version bumps or end-user system upgrades are
often delayed because of necessary LibreSSL patching.  What is even
worse, major runtime issues managed to sneak in that broke production
systems running LibreSSL in the past.

To the best of our knowledge, the only benefit LibreSSL has over
OpenSSL
right now is the additional libtls library.  For this reason, we have
packaged dev-libs/libretls which is a port of this library that links
to OpenSSL.

All these issues considered, we came to the conclusion that OpenSSL
should remain the only supported production option for Gentoo systems.
While the flexibility of Gentoo should make it possible to keep using
LibreSSL going forward, the effort necessary to provide first-class
official support for LibreSSL has proven to outweigh the benefit.

[1] https://gitweb.gentoo.org/repo/proj/libressl.git/tree/README.md
[2] https://bugs.gentoo.org/762847
---

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] [News review v3] LibreSSL support discontinued

[Ulrich Mueller]

[-- Attachment #1: Type: text/plain, Size: 711 bytes --]

>>>>> On Mon, 04 Jan 2021, Michał Górny wrote:

> Starting 2021-02-01, Gentoo will discontinue supporting
> dev-libs/libressl as an alternative to dev-libs/openssl.  While it will

> [...]

> On 2021-02-01, we will mask the relevant USE flags and packages.  If
> you

> [...]

> necessary to use the user-maintained LibreSSL overlay [1].  As long-
> term

> [...]

> development gained speed and the original reasons for the fork no
> longer

> [...]

> problems were related to packages using old/insecure OpenSSL APIs,
> today

> [...]

> To the best of our knowledge, the only benefit LibreSSL has over
> OpenSSL

This has some strange line breaks now. Please fix.

Ulrich

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 507 bytes --]

Re: [gentoo-dev] [News review v3] LibreSSL support discontinued

[Michał Górny]

On Mon, 2021-01-04 at 20:59 +0100, Ulrich Mueller wrote:
> > > > > > On Mon, 04 Jan 2021, Michał Górny wrote:
> 
> > Starting 2021-02-01, Gentoo will discontinue supporting
> > dev-libs/libressl as an alternative to dev-libs/openssl.  While it
> > will
> 
> > [...]
> 
> > On 2021-02-01, we will mask the relevant USE flags and packages. 
> > If
> > you
> 
> > [...]
> 
> > necessary to use the user-maintained LibreSSL overlay [1].  As
> > long-
> > term
> 
> > [...]
> 
> > development gained speed and the original reasons for the fork no
> > longer
> 
> > [...]
> 
> > problems were related to packages using old/insecure OpenSSL APIs,
> > today
> 
> > [...]
> 
> > To the best of our knowledge, the only benefit LibreSSL has over
> > OpenSSL
> 
> This has some strange line breaks now. Please fix.

It's just my stupid mail client, please disregard that.

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] [News review v3] LibreSSL support discontinued

[Michał Górny]

On Mon, 2021-01-04 at 21:48 +0100, Michał Górny wrote:
> On Mon, 2021-01-04 at 20:59 +0100, Ulrich Mueller wrote:
> > > > > > > On Mon, 04 Jan 2021, Michał Górny wrote:
> > 
> > > Starting 2021-02-01, Gentoo will discontinue supporting
> > > dev-libs/libressl as an alternative to dev-libs/openssl.  While it
> > > will
> > 
> > > [...]
> > 
> > > On 2021-02-01, we will mask the relevant USE flags and packages. 
> > > If
> > > you
> > 
> > > [...]
> > 
> > > necessary to use the user-maintained LibreSSL overlay [1].  As
> > > long-
> > > term
> > 
> > > [...]
> > 
> > > development gained speed and the original reasons for the fork no
> > > longer
> > 
> > > [...]
> > 
> > > problems were related to packages using old/insecure OpenSSL APIs,
> > > today
> > 
> > > [...]
> > 
> > > To the best of our knowledge, the only benefit LibreSSL has over
> > > OpenSSL
> > 
> > This has some strange line breaks now. Please fix.
> 
> It's just my stupid mail client, please disregard that.
> 

Anyway, the correct paste:

---
Title: LibreSSL support discontinued
Author: Michał Górny <mgorny@gentoo.org>
Posted: 202x-xx-xx
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: dev-libs/libressl

Starting 2021-02-01, Gentoo will discontinue supporting
dev-libs/libressl as an alternative to dev-libs/openssl.  While it will
still be possible for expert users to use LibreSSL on their systems,
we are only going to provide support for OpenSSL-based systems.  Most
importantly, we are no longer going to maintain downstream patches for
LibreSSL support -- it will rely on either package upstreams merging
such patches themselves, or LibreSSL upstream finally working towards
better OpenSSL compatibility.

On 2021-02-01, we will mask the relevant USE flags and packages.  If you
wish to continue using LibreSSL, you will be able to undo these masks
for the time being.  However, as packages drop patching for LibreSSL
and the library is eventually removed from ::gentoo, it will become
necessary to use the user-maintained LibreSSL overlay [1].  As long-term
support for LibreSSL is not guaranteed, we recommend switching
to OpenSSL instead.  More information on removal can be found
on the relevant bug [2].

To switch before the aforementioned date, remove 'libressl' from your
USE flags and CURL_SSL targets.  Afterwards, it is recommended to
prefetch all the necessary distfiles before proceeding with the system
upgrade, in case wget(1) becomes broken in the process:

    emerge --fetchonly dev-libs/openssl net-misc/wget
    emerge --fetchonly --deep --changed-use @world

A --changed-use @world upgrade should automatically cause LibreSSL
to be replaced by OpenSSL, and all affected packages to be rebuilt:

    emerge --deselect dev-libs/libressl
    emerge --changed-use --deep @world


LibreSSL has been forked off OpenSSL in 2014 to address a number of
problems with the original package.  However, since then OpenSSL
development gained speed and the original reasons for the fork no longer
apply.  Furthermore, LibreSSL started to repeatedly fall behind
and cause growing compatibility problems.  While initially these
problems were related to packages using old/insecure OpenSSL APIs, today
they are mostly related to LibreSSL missing newer OpenSSL APIs
(yet declaring false compatibility with newer OpenSSL versions).

With the little testing it gets, our developers and users had to put
a significant effort into fixing upstream packages.  In some cases
(e.g. Qt), upstream has explicitly refused to support LibreSSL, forcing
us to maintain the patches forever.  This in turn means that
security fixes, regular version bumps or end-user system upgrades are
often delayed because of necessary LibreSSL patching.  What is even
worse, major runtime issues managed to sneak in that broke production
systems running LibreSSL in the past.

To the best of our knowledge, the only benefit LibreSSL has over OpenSSL
right now is the additional libtls library.  For this reason, we have
packaged dev-libs/libretls which is a port of this library that links
to OpenSSL.

All these issues considered, we came to the conclusion that OpenSSL
should remain the only supported production option for Gentoo systems.
While the flexibility of Gentoo should make it possible to keep using
LibreSSL going forward, the effort necessary to provide first-class
official support for LibreSSL has proven to outweigh the benefit.

[1] https://gitweb.gentoo.org/repo/proj/libressl.git/tree/README.md
[2] https://bugs.gentoo.org/762847

---

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] [News review] LibreSSL support discontinued

[Michał Górny]

On Sun, 2021-01-03 at 21:47 +0100, Michał Górny wrote:
> Hello,
> 
> Please review the news item inlined below.  This is based on what
> I discussed with blueness (LibreSSL team lead).  The news item is kinda
> long-ish because I wanted to include the full rationale since I believe
> our users will find it desirable to know it.
> 
> If it's ok, I'd like to push it soonish.  This will give people around
> 4 weeks to prepare and/or migrate their systems manually before being
> hit by the masks.  Afterwards, we'll mask libressl with a prolonged
> removal date.  I'm thinking of 3 months since I suspect that our
> packages will start strongly requiring OpenSSL by then.
> 
> I'm mentioning the LibreSSL overlay since one of our users is
> interested in maintaining it.  It will probably be the best alternative
> for users who want to continue fighting the lost cause without causing
> major problems for Gentoo mainline.

Thank you all for feedback.  I've just pushed the last version.

-- 
Best regards,
Michał Górny

Re: [gentoo-dev] [News review] LibreSSL support discontinued

[Thomas Mueller]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 2230 bytes --]

> On Sun, 2021-01-03 at 21:47 +0100, Michał Górny wrote:
> Hello,

> > Please review the news item inlined below.  This is based on what
> > I discussed with blueness (LibreSSL team lead).  The news item is kinda
> > long-ish because I wanted to include the full rationale since I believe
> > our users will find it desirable to know it.

> > If it's ok, I'd like to push it soonish.  This will give people around
> > 4 weeks to prepare and/or migrate their systems manually before being
> > hit by the masks.  Afterwards, we'll mask libressl with a prolonged
> > removal date.  I'm thinking of 3 months since I suspect that our
> > packages will start strongly requiring OpenSSL by then.
       
> > I'm mentioning the LibreSSL overlay since one of our users is
> > interested in maintaining it.  It will probably be the best alternative
> > for users who want to continue fighting the lost cause without causing
> > major problems for Gentoo mainline.
        
> Thank you all for feedback.  I've just pushed the last version.

> Best regards, 
> Michał Górny

Just a couple days ago, I found an article through Distrowatch: Void Linux is dropping LibreSSL in favor of OpenSSL.

2021-02-28 	Void to switch back to OpenSSL
void 	At the start of the year we mentioned the Gentoo project was considering dropping support for LibreSSL, a fork of the OpenSSL cryptography library. While LibreSSL was intended to be smaller, lighter, and more secure, a lot of work and improvements have gone into OpenSSL while not many Linux packages are tested against LibreSSL, causing problems for their maintainers. The extra effort to maintain compatibility with LibreSSL while new features arrive in OpenSSL first has caused the Void team to switch from running LibreSSL back to OpenSSL. "The Void Linux team is switching back to OpenSSL on March 5th, 2021 (2021-03-05). For most users, there should be no noticeable change. If you have any packages installed that are no longer provided by Void, or your system has explicit dependencies on LibreSSL, you will of course need to take action to ensure your system continues to function after the switch."

URL of Void Linux article is

https://voidlinux.org/news/2021/02/OpenSSL.html
 
Tom