Hello,
Please review the news item inlined below. This is based on what
I discussed with blueness (LibreSSL team lead). The news item is kinda
long-ish because I wanted to include the full rationale since I believe
our users will find it desirable to know it.
If it's ok, I'd like to push it soonish. This will give people around
4 weeks to prepare and/or migrate their systems manually before being
hit by the masks. Afterwards, we'll mask libressl with a prolonged
removal date. I'm thinking of 3 months since I suspect that our
packages will start strongly requiring OpenSSL by then.
I'm mentioning the LibreSSL overlay since one of our users is
interested in maintaining it. It will probably be the best alternative
for users who want to continue fighting the lost cause without causing
major problems for Gentoo mainline.
---
Title: LibreSSL support discontinued
Author: Michał Górny <mgo...@gentoo.org>
Posted: 202x-xx-xx
Revision: 1
News-Item-Format: 2.0
Display-If-Installed: dev-libs/libressl
Starting 2021-02-01, Gentoo will no longer actively pursue supporting
dev-libs/libressl as an alternative to dev-libs/openssl. While it will
still be possible for expert users to use LibreSSL on their systems,
we are only going to provide support for OpenSSL-based systems. Most
importantly, we are no longer going to maintain downstream patches for
LibreSSL support -- it will rely on either package upstreams merging
such patches themselves, or LibreSSL upstream finally working towards
better OpenSSL compatibility.
On 2021-02-01, we will mask the relevant USE flags and packages. If you
wish to continue using LibreSSL, you will be able to undo these masks
for the time being. However, as packages drop patching for LibreSSL
and the library is eventually removed from ::gentoo, it will become
necessary to use the user-maintained LibreSSL overlay [1]. As long-term
support for LibreSSL is not guaranteed, we recommend switching
to OpenSSL instead. The more information on removal can be found
on the relevant bug [2].
To switch before the aforementioned date, remove 'libressl' from your
USE flags and CURL_SSL targets. Afterwards, it is recommended to
prefetch all the necessary distfiles before proceeding with the system
upgrade, in case wget(1) becomes broken in the process:
emerge --fetchonly dev-libs/openssl net-misc/wget
emerge --fetchonly --changed-use @world
A --changed-use @world upgrade should automatically cause LibreSSL
to be replaced by OpenSSL, and all affected packages to be rebuilt:
emerge --changed-use @world
LibreSSL has been forked off OpenSSL in 2014 to address a number of
problems with the original package. However, since then OpenSSL
development gained speed and the original reasons for the fork no longer
apply. Furthermore, LibreSSL started to repeatedly fall behind
and cause growing compatibility problems. While initially these
problems were related to packages using old/insecure OpenSSL APIs, today
they are mostly related to LibreSSL missing newer OpenSSL APIs
(yet declaring false compatibility with newer OpenSSL versions).
With the little testing it gets, our developers and users had to put
a significant effort into fixing upstream packages. In some cases
(e.g. Qt), the upstream has explicitly refused to support LibreSSL,
requiring us to maintain the patches forever. This in turn means that
security fixes, regular version bumps or end-user system upgrades are
often delayed because of necessary LibreSSL patching. What is even
worse, major runtime issues managed to sneak in that broke production
systems running LibreSSL in the past.
To the best of our knowledge, the only benefit LibreSSL has over OpenSSL
right now is the additional libtls library. For this reason, we have
packaged dev-libs/libretls which is a port of this library that links
to OpenSSL.
All these issued considered, we came to the conclusion that OpenSSL
should remain the only supported production option for Gentoo systems.
While the flexibility of Gentoo should make it possible to keep using
LibreSSL going forward, the effort necessary to provide a first-class
official support for LibreSSL has proven to outweigh the benefit.
[1] https://gitweb.gentoo.org/repo/proj/libressl.git/tree/README.md
[2] https://bugs.gentoo.org/762847
---
--
Best regards,
Michał Górny
