On 04/10/2018 10:29 AM, Richard Melville wrote:
On 9 April 2018 at 21:59, Tim Tassonis <st...@decentral.ch <mailto:st...@decentral.ch>> wrote:

    On 04/09/2018 09:18 PM, Richard Melville wrote:

        On 9 April 2018 at 17:31, Tim Tassonis <st...@decentral.ch
        <mailto:st...@decentral.ch> <mailto:st...@decentral.ch
        <mailto:st...@decentral.ch>>> wrote:

             On 04/09/2018 09:47 AM, Richard Melville wrote:

                 On 7 April 2018 at 23:48, Tim Tassonis
        <st...@decentral.ch <mailto:st...@decentral.ch>
                 <mailto:st...@decentral.ch <mailto:st...@decentral.ch>>
        <mailto:st...@decentral.ch <mailto:st...@decentral.ch>

                 <mailto:st...@decentral.ch
        <mailto:st...@decentral.ch>>>> wrote:

                      On 04/08/2018 12:42 AM, Bruce Dubbs wrote:

                          It's disturbing that openssh still requires a
        60K patch
                 to build
                          with openssl-1.1.0.  openssl-1.1.0. has been
        in release
                 since
                          August 2916.


                      I guess that's probably because they just
        concentrate on
                 their own
                      libressl.


                 Which is why I suggested, a long time ago, that we replace
                 openssl with libressl.  I use it and have had no issues.



             Tricky situation, I think. On one hand, it's a very good
        thing of
             lfs/blfs to usually quickly follow upstream on new versions.

             In the openssl case, they went for an api change with 1.1,
        and quite
             a few dependent packages did not (yet) follow, as dropping 1.0
             support would break compatibility with libressl, as
        libressl does
             not seem to prioritize 1.1 support. I just looked at libressl's
             release notes for their latest 2.7.2 release:

               * Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
                 observations of real-world usage in applications. These are
                 implemented in parallel with existing OpenSSL 1.0.1 APIs -
             visibility
                 changes have not been made to existing structs,
        allowing code
             written
                 for older OpenSSL APIs to continue working.


             This translates to me that full openssl 1.1 compatibility
        is not
             high on libressl's priority list, and so it looks like the
             situation  with opensh will also not change in the near future.


        Well, I disagree.  Joel Sing has made it clear that he wants
        libressl to be a drop-in replacement for openssl.  He has also
        stated publicly that he thinks opaque data structures (the basis
        of the openssl 1.1 API change) are a good thing.  It's openssl
        that has broken compatibility between the 1.0 and the 1.1 APIs,
        and thus created issues with openssh, not libressl.  It is,
        therefore, unrealistic to expect libressl to conform to the 1.1
        API over night.  Clearly, it is going to take some considerable
        time.


    Well, as I read you, you actually fully agree...

    I am not expert enough to judge on the quality differences between
    openssl and libressl, not am I well informed enough to judge about
    the necessity of the api break between openssl 1.0 and 1.1. I was
    just trying to describe the current situation as neutrally as possible.


Tim, I don't think that our disagreement was over the time scale, but rather the inclination of the libressl developers.


Maybe you got me wrong there, as all I was saying was: "full openssl 1.1 compatibility is not high on libressl's priority list". By that, I didn't mean it _should_ be high on their list.

Personally, I also was not overly excited when openssl 1.1 came out with a new api. I have written two programs that use the openssl libraries directly and didn't jump up in joy about the prospect of now having to rewrite my long-working, well-tested code with something new, just to achieve the exact same results. In fact, I haven't re-written them yet....



--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page

Reply via email to