Andreas K. Huettel wrote: > > I agree completely that it's unreasonable for Gentoo (worse, 1 person!) > > to continuosly patch the entire world for libressel. > > > > I'm asking to stop doing that, yet still enable the choice between > > openssl and libressl where that is possible without patches, even > > if that's only openntpd and one other package. > > a) The two cannot be installed concurrently. To fix that would require even > more hacks.
As we've discussed in another part of the thread, that's not really true. Both can for sure be installed, just not in the same place and/or with same names. > -> all relevant ssl consumers on the user's system must be linked against > the one selected Also not the case. Considering the two installed in different paths with same names it's still easy for consumers to use one or the other with -rpath at link time. I do agree that the two are not always 1:1 replacements for each other. If they are API incompatible somewhere then for sure not. I think many mails in this thread suffer from some tunnel vision, expecting that a libressl ebuild in the tree must continue to work exactly like the openssl ebuild - I'm saying to stop that but do keep a libressl ebuild. > b) The libraries are not guaranteed to be binary compatible, so switching > implementation requires rebuilding consumers. We can only consider ABI compatibility if we have API compatibility, which might not even be a given. > c) If a single package that the user wants to install is not "fixed" for > one ssl library, it blocks that option for all packages. Please think of a libressl ebuild in a new way. > I guess if you can come up with a solution that > * provides secure usage of the libraries, > * provides choice to the user, and > * doesn't lead to unupgradeable systems or unresolvable dependencies > we'd all be happier. So far we haven't found one. Right! I think letting a libressl ebuild install only libtls could be a good start, because it provides a stable situation, without risking conflicts. Would you agree? Thanks //Peter