On 9 April 2018 at 21:59, Tim Tassonis <st...@decentral.ch> wrote:

> On 04/09/2018 09:18 PM, Richard Melville wrote:
>
>> On 9 April 2018 at 17:31, Tim Tassonis <st...@decentral.ch <mailto:
>> st...@decentral.ch>> wrote:
>>
>>     On 04/09/2018 09:47 AM, Richard Melville wrote:
>>
>>         On 7 April 2018 at 23:48, Tim Tassonis <st...@decentral.ch
>>         <mailto:st...@decentral.ch> <mailto:st...@decentral.ch
>>
>>         <mailto:st...@decentral.ch>>> wrote:
>>
>>              On 04/08/2018 12:42 AM, Bruce Dubbs wrote:
>>
>>                  It's disturbing that openssh still requires a 60K patch
>>         to build
>>                  with openssl-1.1.0.  openssl-1.1.0. has been in release
>>         since
>>                  August 2916.
>>
>>
>>              I guess that's probably because they just concentrate on
>>         their own
>>              libressl.
>>
>>
>>         Which is why I suggested, a long time ago, that we replace
>>         openssl with libressl.  I use it and have had no issues.
>>
>>
>>
>>     Tricky situation, I think. On one hand, it's a very good thing of
>>     lfs/blfs to usually quickly follow upstream on new versions.
>>
>>     In the openssl case, they went for an api change with 1.1, and quite
>>     a few dependent packages did not (yet) follow, as dropping 1.0
>>     support would break compatibility with libressl, as libressl does
>>     not seem to prioritize 1.1 support. I just looked at libressl's
>>     release notes for their latest 2.7.2 release:
>>
>>       * Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
>>         observations of real-world usage in applications. These are
>>         implemented in parallel with existing OpenSSL 1.0.1 APIs -
>>     visibility
>>         changes have not been made to existing structs, allowing code
>>     written
>>         for older OpenSSL APIs to continue working.
>>
>>
>>     This translates to me that full openssl 1.1 compatibility is not
>>     high on libressl's priority list, and so it looks like the
>>     situation  with opensh will also not change in the near future.
>>
>>
>> Well, I disagree.  Joel Sing has made it clear that he wants libressl to
>> be a drop-in replacement for openssl.  He has also stated publicly that he
>> thinks opaque data structures (the basis of the openssl 1.1 API change) are
>> a good thing.  It's openssl that has broken compatibility between the 1.0
>> and the 1.1 APIs, and thus created issues with openssh, not libressl.  It
>> is, therefore, unrealistic to expect libressl to conform to the 1.1 API
>> over night.  Clearly, it is going to take some considerable time.
>>
>
> Well, as I read you, you actually fully agree...
>
> I am not expert enough to judge on the quality differences between openssl
> and libressl, not am I well informed enough to judge about the necessity of
> the api break between openssl 1.0 and 1.1. I was just trying to describe
> the current situation as neutrally as possible.
>

Tim, I don't think that our disagreement was over the time scale, but
rather the inclination of the libressl developers.

Richard
-- 
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to