On 9 April 2018 at 17:31, Tim Tassonis <[email protected]> wrote: > On 04/09/2018 09:47 AM, Richard Melville wrote: > >> On 7 April 2018 at 23:48, Tim Tassonis <[email protected] <mailto: >> [email protected]>> wrote: >> >> On 04/08/2018 12:42 AM, Bruce Dubbs wrote: >> >> It's disturbing that openssh still requires a 60K patch to build >> with openssl-1.1.0. openssl-1.1.0. has been in release since >> August 2916. >> >> >> I guess that's probably because they just concentrate on their own >> libressl. >> >> >> Which is why I suggested, a long time ago, that we replace openssl with >> libressl. I use it and have had no issues. >> > > > Tricky situation, I think. On one hand, it's a very good thing of lfs/blfs > to usually quickly follow upstream on new versions. > > In the openssl case, they went for an api change with 1.1, and quite a few > dependent packages did not (yet) follow, as dropping 1.0 support would > break compatibility with libressl, as libressl does not seem to prioritize > 1.1 support. I just looked at libressl's release notes for their latest > 2.7.2 release: > > * Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on > observations of real-world usage in applications. These are > implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility > changes have not been made to existing structs, allowing code written > for older OpenSSL APIs to continue working. > > > This translates to me that full openssl 1.1 compatibility is not high on > libressl's priority list, and so it looks like the situation with opensh > will also not change in the near future. >
Well, I disagree. Joel Sing has made it clear that he wants libressl to be a drop-in replacement for openssl. He has also stated publicly that he thinks opaque data structures (the basis of the openssl 1.1 API change) are a good thing. It's openssl that has broken compatibility between the 1.0 and the 1.1 APIs, and thus created issues with openssh, not libressl. It is, therefore, unrealistic to expect libressl to conform to the 1.1 API over night. Clearly, it is going to take some considerable time. As a corollary of the need for the original fork, we have seen how many further openssl security breaches were discovered post fork, none of which affected libressl. Richard
-- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
