Hello dear Gentoo Devs,

this is somewhat written out of frustration so please bear with me ;)

CCing crypto@ in case they can provide some valuable input to the
topic. If not, sorry guys for wasting your time.

As you might have noticed, although being published back in August
2016, we still have openssl-1.1 in package.mask due to the numerous
build issues we still have with various packages[1] that uses openssl.

"Why is that so?" do I hear you asking. "Debian already switched over
to openssl-1.1 for months already".

Well... the did not entirely switch yet. There are still packages that
are being compiled/linked against openssl-1.0 in Debian because their
respective upstreams refuse to collaborate.

The most prominent example is openssh[2] which also is the reason that
this topic gives me so much frustration. They simply refuse to add
compatibility code for openssl-1.1 because openssl upstream did such a
silly move with making lots of interfaces opaque and make openssl-1.1
mostly incompatible with code written against older openssl versions.

This and the fact that you can build openssl-1.1 with three different
API versions (0.9.8, 1.0.0 and 1.1.0) makes it exceptionally hard for
openssl consumers to migrate their code to openssl-1.1.

openssh upstream even raised the idea to simply focus crypto support in
their software on libressl which I personally think is a really bad
move. But coming from the same people (openssh and libressl are both
developed by OpenBSD people), it's no big surprise this idea came up at
some point.

So, basically openssl is the last big showstopper for openssl-1.1 to
get out of p.mask. There are some inofficial patches floating around in
the WWW but each one of them has some issues and they all are not
really small in size.
Last time I checked, the most complete (but still to some degree
broken) patch had 2800+ LOC and was 80K in size. This is definitely
nothing I want to maintain as downstream, left aside the fact that
openssh should not be messed with lightly regarding security
implications.

My biggest concern right now is that openssh might still block
openssl-1.1.1 once that got released. openssl-1.1.1 provides TLSv1.3
which is something we should provide to our users as soon as possible
and is also targeted as next LTS release.



[1] https://bugs.gentoo.org/592438
[2] https://bugs.gentoo.org/592578

-- 
Lars Wendler
Gentoo package maintainer
GPG: 21CC CF02 4586 0A07 ED93  9F68 498F E765 960E 9B39

Attachment: pgpfxryrsqsgo.pgp
Description: Digitale Signatur von OpenPGP

Reply via email to