To start off, I would like to say that when we first switched to
libressl, it was largely as a reaction to what we perceived as bad
maintenance being done in openssl. At the time, it was a perfectly
reasonable and valid reaction.
There were other reasons to care, too: the libressl guys were working
to relicense as much of libressl as possible under ISC license.
But openssl 1.1 has a different situation: Akamai and the Core
Infrastructure Initiative have come together to sponsor development
and maintenance of openssl since we switched, which means that there's
higher quality maintenance occuring now. They are also working on a
relicensing process, much like the libressl guys are doing, which has
a larger scope. Meanwhile, the libressl guys have been removing
functionality we depend on, such as support for hardware accelerators
(ENGINE apis), switching from 64-bit TAIN date calculations to time_t
(because time_t is good enough on OpenBSD) and dropping openssl 1.0.1
APIs they see as unsuitable.
libressl promised to retain compatibility with 1.0.1g APIs, but has
failed to do so. As such, there is an increasing workload to keep
packages compatible with libressl as it evolves. Therefore, it is
obviously not truly a suitable provider for the openssl package, and
we should switch back to proper openssl as the default. We will
however retain libressl for packages which require it (for example,
ones using the new libtls APIs).
If there is no objection to this proposed change, I intend to do the
swap next week.
Received on Thu Feb 08 2018 - 11:23:26 UTC