On Mon, 2020-12-28 at 13:59 -0500, Anthony G. Basile wrote: > On 12/28/20 3:56 AM, Michał Górny wrote: > > Hello, developers and Gentoo LibreSSL team. > > > > TL;DR: is there really a point in continuing the never-ending > > always- > > regressing struggle towards supporting LibreSSL in Gentoo? > > > > > > I would like to discuss the possibility of discontinuing LibreSSL > > support in Gentoo in favor of sticking with OpenSSL. Similarly how > > we > > ended up deciding that fighting for libav was unpractical and the > > vast > > majority of users are using ffmpeg (because they didn't really have > > a choice), today it seems that LibreSSL is suffering the same fate. > > > > LibreSSL users, does LibreSSL today have any benefit over OpenSSL? > > To be honest, I don't think so. In 2014, it might have represented > > a new quality. But today, OpenSSL is alive and kicking, and > > LibreSSL > > finds it hard to keep up. > > > > The vast majority of software is not tested against LibreSSL. > > While > > patches are usually trivial and we have people that submit them, > > I find many of them short-sighted. Just look at [1]. Sure, it > > fixes > > the build today but it disabled the feature for all foreseeable > > future. > > How likely is it that somebody will submit another patch reenabling > > it > > with a future LibreSSL version? > > > > While normally I strongly prefer submitting such patches upstream, > > that > > makes things even worse. I mean, I wouldn't be surprised if there > > were > > dozens of packages today that are crippled with LibreSSL just > > because > > somebody fixed the build in the past and never revisited the > > problem. > > > > This somewhat resembles running in circles. Packages kept being > > broken > > with LibreSSL because rarely anyone is using it. And rarely anyone > > is > > using LibreSSL because the apparent benefit (or lack thereof) does > > not > > justify the constant breakage (plus invisible regressions). > > > > All this considered, provided that nobody is able to find a good > > reason > > to use LibreSSL, I would like to propose that we stop patching > > packages, discontinue support for it and last rite it. > > > > > > [1] https://761981.bugs.gentoo.org/attachment.cgi?id=679892 > > > > I'm the current project lead. I inherited it back in the day from > hasufel. It originally had promise of being better than openssl with > 100% compatibility. I hung on because I trusted that team but it has > become more of a hassle than its worth. I am in favor of removing > it. > If we decide to do so, how should we proceed?
I think the usual plan for this kind of thing is to: 1. Issue a news item with the planned cutoff date, and suggest people that they can set USE=-libressl to switch earlier. 2. At the cutoff date, use.mask libressl flag. 3. package.mask libressl itself to give people a clear message. I might be wrong but I think the update should proceed cleanly with --changed-use/--newuse. The PM will trigger the rebuilds, and preserved-libs should take care of keeping libressl libs for as long as necessary (yeah, I know relying on preserved-libs sucks). The only problem that I can think of are packages that depend on libressl specifically and do not support openssl. I don't think we have anything like that but I'll double check. -- Best regards, Michał Górny
