Dear Exherbo Devs, I would like to propose to replace OpenSSL on Exherbo stages with LibreSSL. Arguably LibreSSL code is more sane than OpenSSL, and has/had fewer security vulnerabilities than OpenSSL ( https://en.wikipedia.org/wiki/LibreSSL).
This will probably cause more build errors, and require bit more patching to the current packages we have at this moment. However, as more users are likely to use LibreSSL than OpenSSL should the switch occur, it is likely to be resolved sooner than it is now. Perspective wise, some Exherbo devs and I've been using LibreSSL as default SSL provider, and it has been mostly working fine, while some packages needed patch to fix build issue here and there. For the record, VoidLinux has been using LibreSSL as their default SSL provider, and we will be likely able to use patches that they use for build errors. Personally I do not see much of reason to keep using OpenSSL other than the fact the code has been around for longer period of time, therefore possibly more reliable. However, I generally do not like OpenSSL, especially after that infamous HeartBleed, and Poodle vulnerability. Right now, uninstalling OpenSSL and installing LibreSSL to the new Exherbo install is quite painful – one must compile wget with GNUTLS (or you can manually prefetch all the packages that needs recompiling), uninstall OpenSSL, install LibreSSL with lazy options passed to paludis, and run cave fix-linkage. It is my utmost desire not being need to do that to new Exherbo installs – especially if there is not much value to keeping OpenSSL around. I would like to hear what you guys think considering this matter. Thanks!
_______________________________________________ Exherbo-dev mailing list [email protected] http://lists.exherbo.org/mailman/listinfo/exherbo-dev
