Precedence: list
MIME-Version: 1.0
References: <5A0114AF.4050208@adelielinux.org> <20171107083614.15b25476@vostro.util.wtbts.net>
In-Reply-To: <20171107083614.15b25476@vostro.util.wtbts.net>
From: Kiyoshi Aman <aphrael@alpinelinux.org>
Date: Tue, 06 Feb 2018 22:29:05 +0000
Message-ID: <CAML-UdtkGdXhbxwYRCv_bTKQRyOrDnodXbOALkAAegta0dzyfg@mail.gmail.com>
Subject: Re: [alpine-devel] TLS library provider for makedepends
To: Timo Teras <timo.teras@iki.fi>
Cc: "A. Wilcox" <awilfox@adelielinux.org>, 
	alpine-dev <alpine-devel@lists.alpinelinux.org>
Content-Type: multipart/alternative; boundary="f403045de7a8738cb3056492b5da"

--f403045de7a8738cb3056492b5da
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

I think it's inappropriate for libressl to be considered a replacement for
openssl. Whether it's secure or not, the project has not kept its API
compatibility promises, therefore making it impossible to compile software
that is necessary for webapps such as taiga. Consequently, I support
returning to openssl as system default, and only keeping libressl around
for software which actually requires it.

On Tue, Nov 7, 2017 at 12:36 AM Timo Teras <timo.teras@iki.fi> wrote:

> On Mon, 6 Nov 2017 20:04:31 -0600
> "A. Wilcox" <awilfox@adelielinux.org> wrote:
>
> > However, Ad=C3=A9lie targets 32-bit x86, 32-bit MIPS, 32-bit PowerPC, a=
nd
> > 32-bit ARM.  Obviously this is therefore a quite significant issue for
> > us.  We do not want to have to soft-fork every package in the Alpine
> > aports repository that depends on OpenSSL or LibreSSL to change the
> > library provider.  I am soliciting ideas on how to move forward.
> >
> > My own idea would be to make a libssl-dev virtual that is satisfied by
> > libressl-dev on Alpine and openssl-dev on Ad=C3=A9lie.  We can use the =
new
> > provides_priority to accomplish this, and then we only have to
> > soft-fork the OpenSSL package.
> >
> > Other ideas (that do not include dropping 32-bit architectures from
> > Ad=C3=A9lie) are welcome.  Let's discuss.
>
> This sounds like good idea to me. We don't need to even wait for
> provides_priority stuff, just use versioned provides since the two
> packages cannot co-exist.
>
> provides=3D"libssl-dev=3D1" or similar for the package in aports that
> should be used, and apk will automatically use it. And update all
> makedepends for the new package name.
>
> As alternative, on Adelie, you could just do in openssl-dev
> provides=3D"libressl-dev=3D99999" and it would be preferred over openssl.
>
> But would be nice to get rid of the package specific name and migrate
> to 'libssl-dev' or 'ssl-dev'.
>
> Other thoughts?
>
> Timo
>
--=20
-- Kiyoshi Aman

--f403045de7a8738cb3056492b5da
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi,<div><br></div><div>I think it&#39;s inappropriate for =
libressl to be considered a replacement for openssl. Whether it&#39;s secur=
e or not, the project has not kept its API compatibility promises, therefor=
e making it impossible to compile software that is necessary for webapps su=
ch as taiga. Consequently, I support returning to openssl as system default=
, and only keeping libressl around for software which actually requires it.=
</div></div><br><div class=3D"gmail_quote"><div dir=3D"ltr">On Tue, Nov 7, =
2017 at 12:36 AM Timo Teras &lt;<a href=3D"mailto:timo.teras@iki.fi">timo.t=
eras@iki.fi</a>&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=
=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Mon, =
6 Nov 2017 20:04:31 -0600<br>
&quot;A. Wilcox&quot; &lt;<a href=3D"mailto:awilfox@adelielinux.org" target=
=3D"_blank">awilfox@adelielinux.org</a>&gt; wrote:<br>
<br>
&gt; However, Ad=C3=A9lie targets 32-bit x86, 32-bit MIPS, 32-bit PowerPC, =
and<br>
&gt; 32-bit ARM.=C2=A0 Obviously this is therefore a quite significant issu=
e for<br>
&gt; us.=C2=A0 We do not want to have to soft-fork every package in the Alp=
ine<br>
&gt; aports repository that depends on OpenSSL or LibreSSL to change the<br=
>
&gt; library provider.=C2=A0 I am soliciting ideas on how to move forward.<=
br>
&gt;<br>
&gt; My own idea would be to make a libssl-dev virtual that is satisfied by=
<br>
&gt; libressl-dev on Alpine and openssl-dev on Ad=C3=A9lie.=C2=A0 We can us=
e the new<br>
&gt; provides_priority to accomplish this, and then we only have to<br>
&gt; soft-fork the OpenSSL package.<br>
&gt;<br>
&gt; Other ideas (that do not include dropping 32-bit architectures from<br=
>
&gt; Ad=C3=A9lie) are welcome.=C2=A0 Let&#39;s discuss.<br>
<br>
This sounds like good idea to me. We don&#39;t need to even wait for<br>
provides_priority stuff, just use versioned provides since the two<br>
packages cannot co-exist.<br>
<br>
provides=3D&quot;libssl-dev=3D1&quot; or similar for the package in aports =
that<br>
should be used, and apk will automatically use it. And update all<br>
makedepends for the new package name.<br>
<br>
As alternative, on Adelie, you could just do in openssl-dev<br>
provides=3D&quot;libressl-dev=3D99999&quot; and it would be preferred over =
openssl.<br>
<br>
But would be nice to get rid of the package specific name and migrate<br>
to &#39;libssl-dev&#39; or &#39;ssl-dev&#39;.<br>
<br>
Other thoughts?<br>
<br>
Timo<br>
</blockquote></div>-- <br><div dir=3D"ltr" class=3D"gmail_signature" data-s=
martmail=3D"gmail_signature"><div dir=3D"ltr">-- Kiyoshi Aman</div></div>

--f403045de7a8738cb3056492b5da--


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---