On Tue, 2020-12-29 at 22:41 +0000, Peter Stuge wrote: > Michał Górny wrote: > > > I would be happier if some other developers were able and willing > > > to > > > participate actively in the LibreSSL project. > > > > But why would they do that? What I'm really missing in all the > > replies > > is a single reason why LibreSSL would be better for anyone. > > Maybe because it is so well-known that monoculture is harmful per se, > which is why the commitment to choice in Gentoo is very valuable.
How is that an argument for LibreSSL? If I create another fork of OpenSSL and replace LibreSSL with it, your argument still stands. > Further, LibreSSL comes out of the OpenBSD project, which has a good > reputation on code quality. I could buy that if it actually said anything about LibreSSL code quality. So far you're guessing that it might or might not, especially given it is forked from an apparently 'inferior quality' code. However, I do have serious doubts about LibreSSL quality given that: 1. Non-OpenBSD systems are not first class citizens, as you yourself pointed out. 2. The library is an intrusive replacement for OpenSSL. In the default setup, it is neither co-installable with OpenSSL, nor a drop-in replacement. 3. The upstream declares OpenSSL version constants pretty randomly, without actually matching OpenSSL API. 4. The upstream has actively tried to force people into using their product by tight coupling and forced incompatibility. 5. Apparently nobody is issuing CVEs for LibreSSL while the vulnerabilities clearly do happen. > > a real proper, verifiable argument 'LibreSSL is better in this > > regard'. > > Choice is about enabling people to decide for themselves. Choice for the sake of choice is meaningless. I can create 10 OpenSSL forks right now and tell people to choose between them. However, it is meaningless unless users are actually provided good and useful information on what particular choices represent. So far nobody has been able to find a strong argument for choosing LibreSSL. There are strong arguments for using OpenSSL instead. So what do users exactly gain from this choice? The thrill of adventure? The ability to discover that they've made a bad choice eventually and revert to OpenSSL? Let's say you have food product A. Then a new alternative B appears. Surely, some people will try it. But if it turns out to be bad, it will eventually unprofitable and disappear. Sure, a few people will complain that B is no longer there because they liked it better. But they wouldn't pay extra (much extra) to keep it. OpenSSL/LibreSSL is the same. Maybe LibreSSL had promised a better taste in the beginning but today 9 out of 10 consumers say OpenSSL tastes much better. The only difference is that you don't have to pay for it (but we do!), so you think that it's free. -- Best regards, Michał Górny
