You may want to update the Project:LibreSSL <https://wiki.gentoo.org/wiki/Project:LibreSSL> page to reflect the decision to drop support for libressl, also you could add a news item to the libressl package with instructions or a link to instructions for migrating back to Openssl.
On Mon, 4 Jan 2021 at 09:22, Michał Górny <mgo...@gentoo.org> wrote: > v2, with additional 'emerge --deselect': > --- > Title: LibreSSL support discontinued > Author: Michał Górny <mgo...@gentoo.org> > Posted: 202x-xx-xx > Revision: 1 > News-Item-Format: 2.0 > Display-If-Installed: dev-libs/libressl > > Starting 2021-02-01, Gentoo will no longer actively pursue supporting > dev-libs/libressl as an alternative to dev-libs/openssl. While it will > still be possible for expert users to use LibreSSL on their systems, > we are only going to provide support for OpenSSL-based systems. Most > importantly, we are no longer going to maintain downstream patches for > LibreSSL support -- it will rely on either package upstreams merging > such patches themselves, or LibreSSL upstream finally working towards > better OpenSSL compatibility. > > On 2021-02-01, we will mask the relevant USE flags and packages. If > you > wish to continue using LibreSSL, you will be able to undo these masks > for the time being. However, as packages drop patching for LibreSSL > and the library is eventually removed from ::gentoo, it will become > necessary to use the user-maintained LibreSSL overlay [1]. As long- > term > support for LibreSSL is not guaranteed, we recommend switching > to OpenSSL instead. More information on removal can be found > on the relevant bug [2]. > > To switch before the aforementioned date, remove 'libressl' from your > USE flags and CURL_SSL targets. Afterwards, it is recommended to > prefetch all the necessary distfiles before proceeding with the system > upgrade, in case wget(1) becomes broken in the process: > > emerge --fetchonly dev-libs/openssl net-misc/wget > emerge --fetchonly --changed-use @world > > A --changed-use @world upgrade should automatically cause LibreSSL > to be replaced by OpenSSL, and all affected packages to be rebuilt: > > emerge --deselect dev-libs/libressl > emerge --changed-use @world > > > LibreSSL has been forked off OpenSSL in 2014 to address a number of > problems with the original package. However, since then OpenSSL > development gained speed and the original reasons for the fork no > longer > apply. Furthermore, LibreSSL started to repeatedly fall behind > and cause growing compatibility problems. While initially these > problems were related to packages using old/insecure OpenSSL APIs, > today > they are mostly related to LibreSSL missing newer OpenSSL APIs > (yet declaring false compatibility with newer OpenSSL versions). > > With the little testing it gets, our developers and users had to put > a significant effort into fixing upstream packages. In some cases > (e.g. Qt), upstream has explicitly refused to support LibreSSL, forcing > us to maintain the patches forever. This in turn means that > security fixes, regular version bumps or end-user system upgrades are > often delayed because of necessary LibreSSL patching. What is even > worse, major runtime issues managed to sneak in that broke production > systems running LibreSSL in the past. > > To the best of our knowledge, the only benefit LibreSSL has over > OpenSSL > right now is the additional libtls library. For this reason, we have > packaged dev-libs/libretls which is a port of this library that links > to OpenSSL. > > All these issued considered, we came to the conclusion that OpenSSL > should remain the only supported production option for Gentoo systems. > While the flexibility of Gentoo should make it possible to keep using > LibreSSL going forward, the effort necessary to provide first-class > official support for LibreSSL has proven to outweigh the benefit. > > [1] https://gitweb.gentoo.org/repo/proj/libressl.git/tree/README.md > [2] https://bugs.gentoo.org/762847 > --- > > > > > -- > Best regards, > Michał Górny > > > >
