David Seifert wrote: > > Maybe because it is so well-known that monoculture is harmful per se, > > which is why the commitment to choice in Gentoo is very valuable. > > > > Further, LibreSSL comes out of the OpenBSD project, which has a good > > reputation on code quality. > > Like strong-arming 99% of the users of OpenSSH because they were > unwilling to port to the OpenSSL 1.1 API, fully well knowing that most > of the OpenSSH consuming world doesn't actually use libressl? How is > explicitly tying OpenSSH to libressl not a form of monoculture?
Now we're properly off-topic :) but considering that OpenSSH is developed for OpenBSD and that openssh-portable is merely provided as a service to other systems it's easy to understand why OpenSSH (remember, part of OpenBSD) uses the libressl API for crypto, and why the -portable team is not so keen on maintaining patches for other crypto providers. Another example is systemd binding tightly to Linux. In both cases it's understandable, but also quite unfortunate; better portability would be better. > Case in point: Have you tried using the official libjpeg package instead > of libjpeg-turbo? Go ahead, give it a try. I'll take a look. I chose libjpeg-turbo for a project because it cross-compiled better. > "Monoculture"s are mostly a coincidence, not some sinister conspiracy. I don't claim conspiracy, I just say that it's healthy to avoid them. > Implementation-diversity-but-API-compatibility is mostly a > pipe dream, as libav, imagemagick, libjpeg have shown. I've been fortunate to have a different experience with other codebases. It's completely possible, but takes (extra!) effort, meaning you have to really want it. If there is some rivalry then it's also quite easy to sabotage your colleagues. //Peter
