[Pkg-openssl-devel] Any intent to maintain quictls ?
Willy Tarreau
w at 1wt.eu
Wed Oct 27 11:05:09 BST 2021
Hello,
like many other opensource project maintainers [1], I was particularly
disappointed by the OpenSSL team finally giving up on QUIC support for
the short term, leaving many projects without any reasonable solution
for more years to come [2].
Right now everyone's work seems to be based on either BoringSSL (which
doesn't provide any stable branch because it's not the project's goal),
or quictls [3], which is a maintained fork of OpenSSL, and was the subject
of the PR created 2.5 years ago that OpenSSL finally decided to give up
on.
My concerns are that the only practical solution for HTTP implementers
now will be to build their SSL library themselves, and very likely to
ship static builds to ease the task for end users, which will be terrible
in terms of security updates. And even if a few users decide to build
quictls by themselves, maintaining such a package is not an easy task
that should be taken lightly, and we all know how it ends up: updates
are performed at the beginning, and then once everything works and due
to lack of time, the library is no more updated.
Given that quictls is provided as a constantly rebased patchset on top
of the regular openssl tree, wouldn't it make sense for distro packagers
to provide them both, maybe the regular openssl package and the one
supporting QUIC ? The maintenance effort regarding security updates would
essentially be the same since the code base would be the same, it would
"just" require to update the two packages each time some fixes have to
be applied.
I'm well aware that it would add some maintenance burden, but if the
OpenSSL project team decides to ignore users requests for several years,
it's cornering itself out of the real world needs unfortunately, and I'm
afraid we'll have to deal with another libressl-like episode, or worse,
self-maintenance.
That's why I'm asking about package maintainers' opinion here.
Thanks,
Willy Tarreau - haproxy maintainer
(PS: please keep me CCed, I'm not on the list)
---
[1] https://github.com/openssl/openssl/pull/8797#issuecomment-942442176
[2] https://www.mail-archive.com/openssl-project@openssl.org/msg02585.html
[3] https://github.com/quictls/openssl
More information about the Pkg-openssl-devel
mailing list