On Tue, 2020-12-29 at 14:57 +0100, m1027 wrote: > > > On 29 Dec 2020, at 09:13, Marcel Schilling > > > <marcel.schill...@mdc-berlin.de> wrote: > > > > > > I just want to comment that I switched to LibreSSL on several > > > Gentoo systems years ago and never had any major issues. I run > > > both desktop and server systems with LibreSSL, based on X and > > > Wayland. The only issues I ran into is a slight lag of the > > > overlay behind the main tree so once in a while I had to mask a > > > new version of some package for a week or so. > > Let me just come back on the different views here: > > @marcel: Exactly the same here. Smoothly running libressl on dozens > of systems here, from embedded to ryzen servers, even on Gnome > desktops. At least from the libressl *user's* perspective. > > sam: > > > TL;DR: [...libressl patches are...] just crippling functionality. > > @sam: From the perspective of libressl maintainers I have had a hard > time reading this thread ;-) to learn that even security is supposed > to be an issue with libressl today!? Aren't these crippling patches > sometimes even helpful (see some apache patches) to crop unreliable > extra features? I might be wrong here. Actually I'd prefer something > 'boring' and stable on ssl over new features... > > Well, I cannot judge on the security issues in depth. From a short > internet scan I don't see recent libressl issues but e.g. this one > on openssl, https://www.openssl.org/news/vulnerabilities.html, only > three weeks ago. > > Anyway, my personal conclusion on security: > > I've once switched to libressl because of the heartbleed issue. If > security is better with openssl these days, I'd of course switch > back.
I can't say anything for sure but it is pretty clear that since Heartbleed the level of auditing OpenSSL is receiving is much greater. I honestly doubt that with its comparatively little user base LibreSSL gets the same level of attention. I don't really have the time or motivation to try to look for LibreSSL security issues. But if there's no CVE for such a core package for two years, it either means that it's really good, that it's practically dead or that nobody is actually releasing CVEs for it. > It might be worth having some warm explanations on the > motivation in eselect NEWS, to help people out of the initial state > of shock. Of course a news item will be released once we determine the proper course of action. > > > > So from a pure user perspective, thing change would mean a risky > > > update > > > to systems running stable for years with no gain whatsoever. > > Coming back on the technical way to switch back to openssl: > > Thanks to Gentoo, isn't the switch back more or less something > predictable like > > - removing libressl USE / CURL flags > > - download everything before compiling (emerge -f ...) > > - removing libressl, installing openssl, maybe wget then, followed > by the rest? > > It plead for something that actually *works* as many systems will > need that change here. > We are currently waiting for test results. We don't want to guess without testing for sure. -- Best regards, Michał Górny
