On Tue, 29 Dec 2020 23:34:36 +0000 Peter Stuge <pe...@stuge.se> wrote:
> David Seifert wrote: > > > Maybe because it is so well-known that monoculture is harmful per se, > > > which is why the commitment to choice in Gentoo is very valuable. > > > > > > Further, LibreSSL comes out of the OpenBSD project, which has a good > > > reputation on code quality. > > > > Like strong-arming 99% of the users of OpenSSH because they were > > unwilling to port to the OpenSSL 1.1 API, fully well knowing that most > > of the OpenSSH consuming world doesn't actually use libressl? How is > > explicitly tying OpenSSH to libressl not a form of monoculture? > > Now we're properly off-topic :) but considering that OpenSSH is developed > for OpenBSD and that openssh-portable is merely provided as a service to > other systems it's easy to understand why OpenSSH (remember, part of OpenBSD) > uses the libressl API for crypto, and why the -portable team is not so keen > on maintaining patches for other crypto providers. Another example is systemd > binding tightly to Linux. In both cases it's understandable, but also quite > unfortunate; better portability would be better. I don't have any strong opinions on either side of this argument, I have 1 machine on LibreSSL that I would need to switch, but that is not really a major issue for me. As the person who has been doing a large percentage of the OpenSSH ebuild maintenance for a couple of years now I feel I should mention that while it was the case that OpenSSH would not work with OpenSSL 1.1+ without a (rather large) patch in the past, that has not been the case for some time now. Modern OpenSSH versions work fine with modern OpenSSL versions.
