On Wed, Dec 23, 2015 at 9:16 PM, Gilles Chehade <gil...@poolp.org> wrote:
> > What I'm wondering is if there's any reason that would prevent RHEL, for > example, to package LibreSSL in the same way that libasr was packaged so > that OpenSMTPD could specifically depend on it. > > The system would keep its default SSL library. > Well, it's only my opinion so I can miss some points here. Briefly, why libressl doesn't come here: 1) The first problem is that unlike third-party "libasr" library these chaps "libressl" and "openssl" are way too close, and it creates temptations and mistakes. Due to human nature, new options provide more possibility to slip up. Being provided with two similar options, some developers won't be considering open-(libre-)ssl corner cases you've mentioned for example, some will mix these two solutions up, etc. All users, in general, hate the idea that due to these changes something can be randomly broken. It can be solved, but I don't know anybody from the Fedora community who'd be willing to: - reconcile issues on similar soname provides, naming, versioning etc. with Fedora and RedHat technical board in order to avoid all possible intersections with this critical system component; - support "libressl" globally similar to "openssl" case, fixing security CVEs always getting in touch (being such package maintainer is not a one-time task); - consult RH/Fedora developers promptly fixing their libressl-specific issues - and all this responsibility on a voluntary basis. 2) From the enterprise point of view, there is no sense to support it as an openssl replacement now. It's not FIPS-certified so they cannot use it in enterprise solutions where openssl currently in charge. For simplicity, better not to have an unusable alternative (in context of this situation, of course). They won't sponsor its maintenance so it's up to the community. Surely this can change if business sees a use case for this specific library's clone but there is no any so far. The arguments on switching to libressl are quite logical, but I don't see a straight way how to do it in RHEL and Fedora considering all above. By the way, how about GnuTLS support? -- wbr, Denis.
