X-Original-To: alpine-devel@lists.alpinelinux.org Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) by lists.alpinelinux.org (Postfix) with ESMTP id D27475C4E9D for ; Thu, 15 Feb 2018 10:39:16 +0000 (GMT) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 778F620DC7 for ; Thu, 15 Feb 2018 05:39:16 -0500 (EST) Received: from frontend1 ([10.202.2.160]) by compute2.internal (MEProxy); Thu, 15 Feb 2018 05:39:16 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ftml.net; h= content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s= fm2; bh=zLbjTyJmPVS996PiETwKvOWDk2xHj6NN5rq4BGp4tsc=; b=dpN2Q695 N6XMwolBX4/DZ54216AYKwuSr0UYcAZg0cS5GBDZoU55vV/477kbyYy1tfeU3SVv al2stgd0mTy1oGjOOmLJuoQ072D+ULabt5U1eTa3ICxBUSPuT7r7ZfkTZ/cB8dmV w2YSBVw9LBcjkerS8a4caWnJ25x/cTxf95283FkaS6dbCfuInsQKOfEiX+FobU8w N7kyf+CWpsZtXpcTYHarkMFNok6NCQBsXXEsRn12FZmG/AMtesL5/NDHTiTNdlMb SJX5632ScbVPs4gieZlnURLz4NVjarruPp4hhyt/DZ+cAoj8TcuZpZXnCIVvhDyE YYfV+BtKVqGjfg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-sender :x-me-sender:x-sasl-enc; s=fm2; bh=zLbjTyJmPVS996PiETwKvOWDk2xHj 6NN5rq4BGp4tsc=; b=VAklO1A+84833GjLU4IqyYOdnyyFOfBZ9UKQHlY2no2V4 EWHZgApMxtI5It6Klqo3KQ3MJEndpn0hWNh9arH2wHrlNdxKfosw2cwI/mMTlBD4 Iy8QVR1O2cUT78+QvrbbbQN4sb0KWo2nfWPGeOIgENL4IGeqPaQLsIDChBpM32Lh afXpN7mx44nESU3VblLwURZYDQ0sCj0lWfxK+7wt0mhaAA+nsSvMSfjRPMf62N7F Md+EnSISUCy0NS4NIzDWSW9UrZsmnBY2GWfiOhwGM2JyQXTIIz/U2NHxMav3GGEJ SMiXtxqIJL9F3DFabW/5kBgZ2OzvkLhFyhZ6j4j/w== X-ME-Sender: Received: from terrence (unknown [193.160.158.5]) by mail.messagingengine.com (Postfix) with ESMTPA id D2C5D7E4AA for ; Thu, 15 Feb 2018 05:39:15 -0500 (EST) Date: Thu, 15 Feb 2018 13:39:14 +0300 From: Consus To: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] Proposed change: openssl 1.1 as default system openssl implementation Message-ID: <20180215103913.GB30146@terrence> References: X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On 11:23 Thu 08 Feb, William Pitcock wrote: > Hello, > > To start off, I would like to say that when we first switched to > libressl, it was largely as a reaction to what we perceived as bad > maintenance being done in openssl. At the time, it was a perfectly > reasonable and valid reaction. > > There were other reasons to care, too: the libressl guys were working > to relicense as much of libressl as possible under ISC license. > > But openssl 1.1 has a different situation: Akamai and the Core > Infrastructure Initiative have come together to sponsor development > and maintenance of openssl since we switched, which means that there's > higher quality maintenance occuring now. They are also working on a > relicensing process, much like the libressl guys are doing, which has > a larger scope[1]. Meanwhile, the libressl guys have been removing > functionality we depend on, such as support for hardware accelerators > (ENGINE apis), switching from 64-bit TAIN date calculations to time_t > (because time_t is good enough on OpenBSD) and dropping openssl 1.0.1 > APIs they see as unsuitable. > > libressl promised to retain compatibility with 1.0.1g APIs, but has > failed to do so. As such, there is an increasing workload to keep > packages compatible with libressl as it evolves. Therefore, it is > obviously not truly a suitable provider for the openssl package, and > we should switch back to proper openssl as the default. We will > however retain libressl for packages which require it (for example, > ones using the new libtls APIs). > > If there is no objection to this proposed change, I intend to do the > swap next week. Seems like LibreSSL team is starting to support OpenSSL 1.1 API: commit 3a94b192e7c26a9092dae24d992de50398beaa1a Author: jsing Date: Wed Feb 14 16:32:06 2018 +0000 Start providing parts of the OpenSSL 1.1 API. This will ease the burden on ports and others trying to make software work with LibreSSL, while avoiding #ifdef mazes. Note that we are not removing 1.0.1 API or making things opaque, hence software written to use the older APIs will continue to work, as will software written to use the 1.1 API (as more functionality become available). Discussed at length with deraadt@ and others. --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---