On 04/09/2018 09:18 PM, Richard Melville wrote:
On 9 April 2018 at 17:31, Tim Tassonis <st...@decentral.ch
<mailto:st...@decentral.ch>> wrote:
On 04/09/2018 09:47 AM, Richard Melville wrote:
On 7 April 2018 at 23:48, Tim Tassonis <st...@decentral.ch
<mailto:st...@decentral.ch> <mailto:st...@decentral.ch
<mailto:st...@decentral.ch>>> wrote:
On 04/08/2018 12:42 AM, Bruce Dubbs wrote:
It's disturbing that openssh still requires a 60K patch
to build
with openssl-1.1.0. openssl-1.1.0. has been in release
since
August 2916.
I guess that's probably because they just concentrate on
their own
libressl.
Which is why I suggested, a long time ago, that we replace
openssl with libressl. I use it and have had no issues.
Tricky situation, I think. On one hand, it's a very good thing of
lfs/blfs to usually quickly follow upstream on new versions.
In the openssl case, they went for an api change with 1.1, and quite
a few dependent packages did not (yet) follow, as dropping 1.0
support would break compatibility with libressl, as libressl does
not seem to prioritize 1.1 support. I just looked at libressl's
release notes for their latest 2.7.2 release:
* Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
observations of real-world usage in applications. These are
implemented in parallel with existing OpenSSL 1.0.1 APIs -
visibility
changes have not been made to existing structs, allowing code
written
for older OpenSSL APIs to continue working.
This translates to me that full openssl 1.1 compatibility is not
high on libressl's priority list, and so it looks like the
situation with opensh will also not change in the near future.
Well, I disagree. Joel Sing has made it clear that he wants libressl to
be a drop-in replacement for openssl. He has also stated publicly that
he thinks opaque data structures (the basis of the openssl 1.1 API
change) are a good thing. It's openssl that has broken compatibility
between the 1.0 and the 1.1 APIs, and thus created issues with openssh,
not libressl. It is, therefore, unrealistic to expect libressl to
conform to the 1.1 API over night. Clearly, it is going to take some
considerable time.
Well, as I read you, you actually fully agree...
I am not expert enough to judge on the quality differences between
openssl and libressl, not am I well informed enough to judge about the
necessity of the api break between openssl 1.0 and 1.1. I was just
trying to describe the current situation as neutrally as possible.
Bye
Tim
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
