On 10 Jul 2017 04:33, "Irvin Choi" <simdol8...@gmail.com> wrote:
Dear Exherbo Devs, Dear Fellow Exherbo Dev, I would like to propose to replace OpenSSL on Exherbo stages with LibreSSL. Arguably LibreSSL code is more sane than OpenSSL, and has/had fewer security vulnerabilities than OpenSSL (https://en.wikipedia.org/ wiki/LibreSSL). Yes, imho there is not much to argue on that. OpenSSL is shit and shit's on fire. This will probably cause more build errors, and require bit more patching to the current packages we have at this moment. That, however, is a strong argument against your proposal. Keeping the stage sane & stable is the priority imho. However, as more users are likely to use LibreSSL than OpenSSL should the switch occur, it is likely to be resolved sooner than it is now. Perspective wise, some Exherbo devs and I've been using LibreSSL as default SSL provider, and it has been mostly working fine, while some packages needed patch to fix build issue here and there. For the record, VoidLinux has been using LibreSSL as their default SSL provider, and we will be likely able to use patches that they use for build errors. Frankly, there is no fundamental difference between a package set and the stage tarball other than the fact that it has to be as stable and as predictable as possible. That said, I think it makes a bit more sense to make sure we fix everything before we switch. That also said, this is not a statement against including patches from other initiatives. I, for one, have found voidlinux, openwrt and other similar projects quite useful for musl, libressl and such relatively big ideas for a brighter future. Personally I do not see much of reason to keep using OpenSSL other than the fact the code has been around for longer period of time, therefore possibly more reliable. However, I generally do not like OpenSSL, especially after that infamous HeartBleed, and Poodle vulnerability. Right now, uninstalling OpenSSL and installing LibreSSL to the new Exherbo install is quite painful – one must compile wget with GNUTLS (or you can manually prefetch all the packages that needs recompiling), uninstall OpenSSL, install LibreSSL with lazy options passed to paludis, and run cave fix-linkage. It is my utmost desire not being need to do that to new Exherbo installs – especially if there is not much value to keeping OpenSSL around. I would like to hear what you guys think considering this matter. Pushing things into the stage tarball is not a way to accelerate the necessary work for big changes, imho. You may try building an alternative stage which I'm sure will uncover most of what's necessary to fix and/or convince someone to help you with that. I am interested in helping but life would not allow to do it all on my own. Finally, Exherbo has a reputation for being stable and quite rightly so. That's all I care about till I'm done with the installation, security comes after. Thanks! Thank you! _______________________________________________ Exherbo-dev mailing list Exherbo-dev@lists.exherbo.org http://lists.exherbo.org/mailman/listinfo/exherbo-dev
_______________________________________________ Exherbo-dev mailing list Exherbo-dev@lists.exherbo.org http://lists.exherbo.org/mailman/listinfo/exherbo-dev
