-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 09/30/2015 01:51 PM, Rich Freeman wrote: > On Wed, Sep 30, 2015 at 7:29 AM, Kristian Fiskerstrand > <k...@gentoo.org> wrote: >> >> The way I see it this is relevant to the discussion at hand. > > Admittedly it is a bit tangential, but it didn't seem worth > forking the thread over. Certainly I'm not going to invent my own > mailing list and post it there, and then post here to advertise it. > I doubt such a discussion will be all that welcome on the upstream > mailing list. > >> Or is this just increasing our maintenance, and security >> tracking, etc burdens without any strong benefits? > > I don't think that it is necessary to have a cost/benefit analysis > anytime somebody wants to introduce a new package in the tree.
I certainly wouldn't mind some thought of the matter, although I agree there should be no formal requirement, but we are, after all, talking about a very central cryptographic and security library here. > > I think it was fair to pause to see if somebody could come up with > a better solution that allows co-existence, but absent that I > don't see any benefit from keeping libressl out of the tree. > We'll just experience all the downsides of the fork without the > upsides. This is what worries me as well, as it increase workload and complexity affecting multiple projects without any immediate and obvious gain. > > It might very well cost some of hasufell's time to maintain it, > but that is time he is freely offering, and it isn't like turning > him away is going to encourage him to spend more time on other > Gentoo features. Cost/benefit for a volunteer distro isn't a > zero-sum game the way it is if you're a manager of a 50-person > development team. Fair enough point, the effort is certainly appreciated. > > I'd love to see somebody come out with a better solution for this > sort of thing, and it probably would need to be bigger than Gentoo > to be truly effective. However, until such a solution comes along > I don't see the benefit of further delay. That's just my two > cents. Immediately I would think we'd need namespace isolation inspired by NixOS etc for this to work, but that isn't something that would easily be implemented and quite frankly would look scarily similar to Go's static linking and issues. In any case; I agree that we're not likely to come up with a good solution in the near future, so delaying it even further doesn't provide any benefit as introducing libressl to the tree seems likely in any case, as long as there is a dedicated effort in following up on issues related to it longer term. - -- Kristian Fiskerstrand Public PGP key 0xE3EDFAE3 at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3 -----BEGIN PGP SIGNATURE----- iQEcBAEBCgAGBQJWC9EmAAoJECULev7WN52FHaoH/ix5m3Jdep0TurwbDWtpfn3o +EIK7dPwhseYLFl2wpyrCSJHsvQDGbJ06/u2PpGktg264CdInIKjRkO5uKdW2x5t RZBT3WFT2e1mj0OfPjbdLCPWOssvfbvRG/3+Zp1onajbQltDIIBKEdJw9p/VoLgX mEpRRE5myUWzGwSG6+1kBVZHzL1V7MDnlujuGzdlL1FKvWUbl0Hxsp4ApHHwgIIS TotgJv+XmfCfhOy2Qh4IHlaW75KhhzFd0LpSQTZT2kI/0bTVGJR7StuP3d+M66Kg /Y4v6eoublTUoSPSd1Eo5hm9vZnGPSCCdLkvuuXDObgUCVJsdLWyEt8hD4OtFHI= =EerA -----END PGP SIGNATURE-----
