[Pkg-openssl-devel] Bug#754513: RFP: libressl -- SSL library, forked from OpenSSL

[Michael Stone]

On Tue, Oct 17, 2017 at 12:05:30AM +0200, Guus Sliepen wrote:
>despite fears of OpenBSD only caring about themselves, I have found that
>it is easier to compile LibreSSL for various platforms (even non-POSIX
>ones) than OpenSSL. And that APIs might be broken more easily by LibreSSL
>is ridiculous, as it is OpenSSL iself that has changed its API in a
>non-backwards compatible way that is now causing this discussion.

It is not ridiculous to point out that LibreSSL is released every six 
months and supported for one year after release, while OpenSSL is 
supported for at least 2 years, and 5 years for LTS releases. It's not 
unrealistic to think that a Debian stable could release with a LibreSSL 
that's already unsupported upstream. It is also not ridiculous to point 
out that a number of distributions have an interest in long term 
maintenance of released versions of OpenSSL, while there is no such 
community around LibreSSL.

You are correct, though, that the OpenSSL and LibreSSL code bases will 
continue to diverge, from both directions. I think that's the biggest 
impediment to creating an OpenSSL 1.0 compatability layer for 
OpenSSH--over time, neither OpenSSL nor LibreSSL have any interest in 
confining themselves to that API, and it's clear that OpenSSH will track 
LibreSSL's API rather than the old OpenSSL API in the long term.

As I continue to think about it, it may actually end up being better to 
embed a constrained subset of LibreSSL in OpenSSH than worry about 
either maintaining the entire LibreSSL package over a period of years, 
or fork.

Mike Stone