On 9 April 2018 at 20:49, Bruce Dubbs <bruce.du...@gmail.com> wrote: > On 04/09/2018 02:18 PM, Richard Melville wrote: > > Well, I disagree. Joel Sing has made it clear that he wants libressl to >> be a drop-in replacement for openssl. He has also stated publicly that he >> thinks opaque data structures (the basis of the openssl 1.1 API change) are >> a good thing. It's openssl that has broken compatibility between the 1.0 >> and the 1.1 APIs, and thus created issues with openssh, not libressl. It >> is, therefore, unrealistic to expect libressl to conform to the 1.1 API >> over night. Clearly, it is going to take some considerable time. >> > > It has been two years. How much time do you think is reasonable? > > As a corollary of the need for the original fork, we have seen how many >> further openssl security breaches were discovered post fork, none of which >> affected libressl. >> > > I wonder why there has been no mass exodus to libressl. It has been > around from 2014. Do you have any ideas about that? > > I did read https://en.wikipedia.org/wiki/LibreSSL > It does read like it was written by libressl or bsd developers.
Bruce, I'm neither a libressl nor a bsd developer, but merely a bystander watching from the sidelines. My interest is that I have chosen to use libressl over openssl because I believe that it is a superior product, and I have had no issues with it. So, in answer to your question about what is a reasonable time for 1.1 API compliance, I don't know, but from the evidence that I have seen I am confident that the will is there. Of course, that's my personal view. Regarding "no mass exodus to libressl", I don't think that a "mass exodus", or the lack of it, determines what is good software and what isn't. Clearly, openssl has the impetus (and the inertia) by having been around for years. A similar example is the apache web server. It's been around for years and, in my opinion, has become a bloated monster. There are a host of other web servers, which, in my opinion, are mostly a lot better; nginx perhaps being the best known, but also a number of fast web servers written in erlang. Despite this, apache still has a huge following. People are loathe to move from a product with which they are familiar. Wikipedia pages have to be written by someone, and I'm sure that most of them contain bias. Richard
-- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
