Hello dear Gentoo Devs, this is somewhat written out of frustration so please bear with me ;)
CCing crypto@ in case they can provide some valuable input to the topic. If not, sorry guys for wasting your time. As you might have noticed, although being published back in August 2016, we still have openssl-1.1 in package.mask due to the numerous build issues we still have with various packages[1] that uses openssl. "Why is that so?" do I hear you asking. "Debian already switched over to openssl-1.1 for months already". Well... the did not entirely switch yet. There are still packages that are being compiled/linked against openssl-1.0 in Debian because their respective upstreams refuse to collaborate. The most prominent example is openssh[2] which also is the reason that this topic gives me so much frustration. They simply refuse to add compatibility code for openssl-1.1 because openssl upstream did such a silly move with making lots of interfaces opaque and make openssl-1.1 mostly incompatible with code written against older openssl versions. This and the fact that you can build openssl-1.1 with three different API versions (0.9.8, 1.0.0 and 1.1.0) makes it exceptionally hard for openssl consumers to migrate their code to openssl-1.1. openssh upstream even raised the idea to simply focus crypto support in their software on libressl which I personally think is a really bad move. But coming from the same people (openssh and libressl are both developed by OpenBSD people), it's no big surprise this idea came up at some point. So, basically openssl is the last big showstopper for openssl-1.1 to get out of p.mask. There are some inofficial patches floating around in the WWW but each one of them has some issues and they all are not really small in size. Last time I checked, the most complete (but still to some degree broken) patch had 2800+ LOC and was 80K in size. This is definitely nothing I want to maintain as downstream, left aside the fact that openssh should not be messed with lightly regarding security implications. My biggest concern right now is that openssh might still block openssl-1.1.1 once that got released. openssl-1.1.1 provides TLSv1.3 which is something we should provide to our users as soon as possible and is also targeted as next LTS release. [1] https://bugs.gentoo.org/592438 [2] https://bugs.gentoo.org/592578 -- Lars Wendler Gentoo package maintainer GPG: 21CC CF02 4586 0A07 ED93 9F68 498F E765 960E 9B39
pgpfxryrsqsgo.pgp
Description: Digitale Signatur von OpenPGP
