On 9 April 2018 at 21:59, Tim Tassonis <st...@decentral.ch> wrote:
> On 04/09/2018 09:18 PM, Richard Melville wrote:
>> On 9 April 2018 at 17:31, Tim Tassonis <st...@decentral.ch <mailto:
>> st...@decentral.ch>> wrote:
>> On 04/09/2018 09:47 AM, Richard Melville wrote:
>> On 7 April 2018 at 23:48, Tim Tassonis <st...@decentral.ch
>> <mailto:st...@decentral.ch> <mailto:st...@decentral.ch
>> <mailto:st...@decentral.ch>>> wrote:
>> On 04/08/2018 12:42 AM, Bruce Dubbs wrote:
>> It's disturbing that openssh still requires a 60K patch
>> to build
>> with openssl-1.1.0. openssl-1.1.0. has been in release
>> August 2916.
>> I guess that's probably because they just concentrate on
>> their own
>> Which is why I suggested, a long time ago, that we replace
>> openssl with libressl. I use it and have had no issues.
>> Tricky situation, I think. On one hand, it's a very good thing of
>> lfs/blfs to usually quickly follow upstream on new versions.
>> In the openssl case, they went for an api change with 1.1, and quite
>> a few dependent packages did not (yet) follow, as dropping 1.0
>> support would break compatibility with libressl, as libressl does
>> not seem to prioritize 1.1 support. I just looked at libressl's
>> release notes for their latest 2.7.2 release:
>> * Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
>> observations of real-world usage in applications. These are
>> implemented in parallel with existing OpenSSL 1.0.1 APIs -
>> changes have not been made to existing structs, allowing code
>> for older OpenSSL APIs to continue working.
>> This translates to me that full openssl 1.1 compatibility is not
>> high on libressl's priority list, and so it looks like the
>> situation with opensh will also not change in the near future.
>> Well, I disagree. Joel Sing has made it clear that he wants libressl to
>> be a drop-in replacement for openssl. He has also stated publicly that he
>> thinks opaque data structures (the basis of the openssl 1.1 API change) are
>> a good thing. It's openssl that has broken compatibility between the 1.0
>> and the 1.1 APIs, and thus created issues with openssh, not libressl. It
>> is, therefore, unrealistic to expect libressl to conform to the 1.1 API
>> over night. Clearly, it is going to take some considerable time.
> Well, as I read you, you actually fully agree...
> I am not expert enough to judge on the quality differences between openssl
> and libressl, not am I well informed enough to judge about the necessity of
> the api break between openssl 1.0 and 1.1. I was just trying to describe
> the current situation as neutrally as possible.
Tim, I don't think that our disagreement was over the time scale, but
rather the inclination of the libressl developers.
Unsubscribe: See the above information page