Hello, developers and Gentoo LibreSSL team. TL;DR: is there really a point in continuing the never-ending always- regressing struggle towards supporting LibreSSL in Gentoo?
I would like to discuss the possibility of discontinuing LibreSSL support in Gentoo in favor of sticking with OpenSSL. Similarly how we ended up deciding that fighting for libav was unpractical and the vast majority of users are using ffmpeg (because they didn't really have a choice), today it seems that LibreSSL is suffering the same fate. LibreSSL users, does LibreSSL today have any benefit over OpenSSL? To be honest, I don't think so. In 2014, it might have represented a new quality. But today, OpenSSL is alive and kicking, and LibreSSL finds it hard to keep up. The vast majority of software is not tested against LibreSSL. While patches are usually trivial and we have people that submit them, I find many of them short-sighted. Just look at [1]. Sure, it fixes the build today but it disabled the feature for all foreseeable future. How likely is it that somebody will submit another patch reenabling it with a future LibreSSL version? While normally I strongly prefer submitting such patches upstream, that makes things even worse. I mean, I wouldn't be surprised if there were dozens of packages today that are crippled with LibreSSL just because somebody fixed the build in the past and never revisited the problem. This somewhat resembles running in circles. Packages kept being broken with LibreSSL because rarely anyone is using it. And rarely anyone is using LibreSSL because the apparent benefit (or lack thereof) does not justify the constant breakage (plus invisible regressions). All this considered, provided that nobody is able to find a good reason to use LibreSSL, I would like to propose that we stop patching packages, discontinue support for it and last rite it. [1] https://761981.bugs.gentoo.org/attachment.cgi?id=679892 -- Best regards, Michał Górny