On 12/28/20 3:56 AM, Michał Górny wrote: > Hello, developers and Gentoo LibreSSL team. > > TL;DR: is there really a point in continuing the never-ending always- > regressing struggle towards supporting LibreSSL in Gentoo? > > > I would like to discuss the possibility of discontinuing LibreSSL > support in Gentoo in favor of sticking with OpenSSL. Similarly how we > ended up deciding that fighting for libav was unpractical and the vast > majority of users are using ffmpeg (because they didn't really have > a choice), today it seems that LibreSSL is suffering the same fate. > > LibreSSL users, does LibreSSL today have any benefit over OpenSSL? > To be honest, I don't think so. In 2014, it might have represented > a new quality. But today, OpenSSL is alive and kicking, and LibreSSL > finds it hard to keep up. > > The vast majority of software is not tested against LibreSSL. While > patches are usually trivial and we have people that submit them, > I find many of them short-sighted. Just look at [1]. Sure, it fixes > the build today but it disabled the feature for all foreseeable future. > How likely is it that somebody will submit another patch reenabling it > with a future LibreSSL version? > > While normally I strongly prefer submitting such patches upstream, that > makes things even worse. I mean, I wouldn't be surprised if there were > dozens of packages today that are crippled with LibreSSL just because > somebody fixed the build in the past and never revisited the problem. > > This somewhat resembles running in circles. Packages kept being broken > with LibreSSL because rarely anyone is using it. And rarely anyone is > using LibreSSL because the apparent benefit (or lack thereof) does not > justify the constant breakage (plus invisible regressions). > > All this considered, provided that nobody is able to find a good reason > to use LibreSSL, I would like to propose that we stop patching > packages, discontinue support for it and last rite it. > > > [1] https://761981.bugs.gentoo.org/attachment.cgi?id=679892 >
I'm the current project lead. I inherited it back in the day from hasufel. It originally had promise of being better than openssl with 100% compatibility. I hung on because I trusted that team but it has become more of a hassle than its worth. I am in favor of removing it. If we decide to do so, how should we proceed? -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : bluen...@gentoo.org GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA GnuPG ID : F52D4BBA
