> > On 29 Dec 2020, at 09:13, Marcel Schilling > > <marcel.schill...@mdc-berlin.de> wrote: > > > > I just want to comment that I switched to LibreSSL on several > > Gentoo systems years ago and never had any major issues. I run > > both desktop and server systems with LibreSSL, based on X and > > Wayland. The only issues I ran into is a slight lag of the > > overlay behind the main tree so once in a while I had to mask a > > new version of some package for a week or so.
Let me just come back on the different views here: @marcel: Exactly the same here. Smoothly running libressl on dozens of systems here, from embedded to ryzen servers, even on Gnome desktops. At least from the libressl *user's* perspective. sam: > TL;DR: [...libressl patches are...] just crippling functionality. @sam: From the perspective of libressl maintainers I have had a hard time reading this thread ;-) to learn that even security is supposed to be an issue with libressl today!? Aren't these crippling patches sometimes even helpful (see some apache patches) to crop unreliable extra features? I might be wrong here. Actually I'd prefer something 'boring' and stable on ssl over new features... Well, I cannot judge on the security issues in depth. From a short internet scan I don't see recent libressl issues but e.g. this one on openssl, https://www.openssl.org/news/vulnerabilities.html, only three weeks ago. Anyway, my personal conclusion on security: I've once switched to libressl because of the heartbleed issue. If security is better with openssl these days, I'd of course switch back. It might be worth having some warm explanations on the motivation in eselect NEWS, to help people out of the initial state of shock. > > So from a pure user perspective, thing change would mean a risky update > > to systems running stable for years with no gain whatsoever. Coming back on the technical way to switch back to openssl: Thanks to Gentoo, isn't the switch back more or less something predictable like - removing libressl USE / CURL flags - download everything before compiling (emerge -f ...) - removing libressl, installing openssl, maybe wget then, followed by the rest? It plead for something that actually *works* as many systems will need that change here. Thanks
