On Dec 24, 2015 3:45 PM, "Gilles Chehade" <[email protected]> wrote: > On Thu, Dec 24, 2015 at 04:34:34AM +0600, Denis Fateyev wrote: > > On Wed, Dec 23, 2015 at 9:16 PM, Gilles Chehade <[email protected]> wrote: > > > > > > > > What I'm wondering is if there's any reason that would prevent RHEL, for > > > example, to package LibreSSL in the same way that libasr was packaged so > > > that OpenSMTPD could specifically depend on it. > > > > > > The system would keep its default SSL library. > > > > > > > Well, it's only my opinion so I can miss some points here. Briefly, why > > libressl doesn't come here: > > > > 1) The first problem is that unlike third-party "libasr" library these > > chaps "libressl" and "openssl" are way too close, and it creates > > temptations and mistakes. Due to human nature, new options provide more > > possibility to slip up. Being provided with two similar options, some > > developers won't be considering open-(libre-)ssl corner cases you've > > mentioned for example, some will mix these two solutions up, etc. All > > users, in general, hate the idea that due to these changes something can be > > randomly broken. > > > > This loses me, or I'm missing a keypoint: > > To me, the fact that two libraries are close is not really a technical issue > that can't be overcome. Two different versions of OpenSSL could be installed > in different places, and this holds true for LibreSSL no ?
I'm pretty sure it can be solved as pointed below, the questions is only the amount of efforts and time. Pointing that open and clear, the bigger distribution is, the more details should be clarified and resolved not to cross others interests. No offense meant, but if I spoke about Archlinux or Slackware whatsoever, I wouldn't even consider this an issue. When I realize how much committees I (or anybody else) would need to pass through just to introduce libressl parallel to openssl, it drives me nuts. As an analogue, I can remember a mailing list thread in Debian where people were discussing Libressl packaging into Debian. They produced tens of messages but came to nothing at that point. > > It can be solved, but I don't know anybody from the Fedora community who'd > > be willing to: > > > > - reconcile issues on similar soname provides, naming, versioning etc. > > with Fedora and RedHat technical board in order to avoid all possible > > intersections with this critical system component; > > - support "libressl" globally similar to "openssl" case, fixing security > > CVEs always getting in touch (being such package maintainer is not a > > one-time task); > > - consult RH/Fedora developers promptly fixing their libressl-specific > > issues - and all this responsibility on a voluntary basis. > > > > I can understand this but then it's a distribution specific issue and it isn't > limited by a technical problem. This can be taken into account when making the > move so that the package maintainer can sort things out but I don't think that > it should be a justification to prevent move and limit our progress. Well, you asked what distributions packagers thought, and I presented it from point of the specific distribution. There are always some issues, not only pure technical ones. > > 2) From the enterprise point of view, there is no sense to support it as an > > openssl replacement now. > > It's not FIPS-certified so they cannot use it in enterprise solutions where > > openssl currently in charge. For simplicity, better not to have an unusable > > alternative (in context of this situation, of course). They won't sponsor > > its maintenance so it's up to the community. Surely this can change if > > business sees a use case for this specific library's clone but there is no > > any so far. > > > > Unlike the above, this is irrelevant to me, I don't think any opensource > project should be driven by what makes sense to a particular company. > > We were sponsored full-time for over a year by my employer, and then the > direction we were taking no longer made sense for them. > > We could have adapted our direction to keep the sponsoring, but it would > have been a bad thing for the project, so we part ways (on sponsorship). I just described it all in details, the most clear as possible, to point out that there would be no any sponsorship from enterprise in this case. > There's no straight way, so how do we plan for a curvy way ? :-) Well, if you feel that way that openssl slows the development progress down, but we have no idea when libressl will be available there, what can I say? I would just propose to keep openssl support as long as possible. I'll re-open libressl packaging discussion in Fedora right after Christmas, and in case of positive decision me or anybody else would support libressl pro bono. There is no schedule here. --- wbr, Denis.
