The fundamental probelm with this Matthew - is that next time, if we do this, by the next release we will be chasing what features we have imported from 1.0.2g and 10.2.z, and 1.0.2.qq - where does it end? We will be continuing to add functionality in here from many sources, and so assuming we could just keep this as the 1.0.1g version number is completely wrong.
If we do that we will be perpetually updating this to be "close to" whatever happens to be the orthogonal openssl. feature set, we're screwed. We'll be doing this forever, and be in a situation where it's as bad a what it is with ACPI, where the only safe thing to report as is "Windows" so we don't get screwed by the software trying to do incompatible junk. Now the mistake we made this go around is to not provide a way for identifying that it is libressl. that has been corrected. On Fri, Jul 11, 2014 at 4:56 PM, Matthew Dempsky <matt...@dempsky.org> wrote: > On Fri, Jul 11, 2014 at 3:41 PM, Bob Beck <b...@obtuse.com> wrote: >> The OPENSSL_VERSION number is a guarantee for a certain version of the >> ABI. As we dont' provide that (in fact much >> of the ABI in LIbreSSL is "beyond" 1.0.1g, it is not accurate to use >> the old OPENSSL_VERSION. Essnentially this OPENSSL_VERSION >> is "bigger than 1.0.1g"'s. > > By that argument, we won't be ABI compatible with OpenSSL 2.0 either, > so we shouldn't provide OPENSSL_VERSION at all. > > My 2c is for keeping OPENSSL_VERSION_NUMBER as the most recent OpenSSL > version that we're *mostly* API/feature compatible with, and using > LIBRESSL_VERSION_NUMBER to identify the exact LibreSSL version. By > polluting the OPENSSL_VERSION_NUMBER namespace we just make things > more difficult for downstream users that want to be compatible with > both OpenSSL and LibreSSL. > > E.g., to check for a feature that was added in OpenSSL 1.2 but isn't > present in LibreSSL, that code now needs to be > > #if OPENSSL_VERSION_NUMBER >= 1.2 && !defined(LIBRESSL_VERSION_NUMBER) > > rather than simply > > #if OPENSSL_VERSION_NUMBER >= 1.2 > > Breaking the latter just seems like making it more difficult to get > people to port their software from OpenSSL to LibreSSL.
