I assume you know far more than me and A.Wilcox from the Alpine list but this was mentioned. They are planning to revert to OpenSSL next week.
I don't use Alpine, though it is possibly my preferred Linux, just thought I would mention it. To be honest, I don't even know if facilitating wider adoption of LibreSSL hurts or benefits OpenBSD security in the end. The last paragraph (taken from a separate mail), may be interesting? I have no idea what debian etc. are doing. http://lists.alpinelinux.org/alpine-devel/6079.html _____________________________________________________________________ awilcox on ciall /usr/src/alpine-aports $ find . -name '*libressl*.patch' | sort ./community/asio/libressl.patch ./community/cargo/openssl-fix-libressl-cmsh-detection.patch ./community/cargo/openssl-libressl263-compat.patch ./community/erlang/0011-fix-libressl-build.patch ./community/freerdp/libressl-2.5.patch ./community/gsoap/libressl.patch ./community/heirloom-mailx/libressl.patch ./community/isync/libressl-compat.patch ./community/john/libressl.patch ./community/mongodb-tools/libressl.patch ./community/pgbouncer/libressl-2.5.patch ./community/qt5-qtbase/libressl-compat.patch ./community/retawq/libressl.patch ./community/rethinkdb/libressl-all.patch ./community/stunnel/stunnel-libressl.patch ./community/xchat/libressl.patch ./community/yadifa/libressl-compat.patch ./main/boost/libressl.patch ./main/elinks/libressl-2.5.patch ./main/fetchmail/libressl.patch ./main/freeswitch/sofia-sip-libressl.patch ./main/haproxy/fix-libressl-2.5.patch ./main/hexchat/libressl.patch ./main/hostapd/libressl-compat.patch ./main/krb5/libressl.patch ./main/ldns/1.6.17-libressl.patch ./main/libevent/libressl.patch ./main/libgit2/libressl.patch ./main/lua-cqueues/libressl-2.5.patch ./main/mosquitto/libressl.patch ./main/neon/fix-libressl.patch ./main/open-isns/libressl.patch ./main/openldap/libressl.patch ./main/opensmtpd/libressl-compat.patch ./main/openvswitch/libressl-compat.patch ./main/opusfile/libressl.patch ./main/partimage/libressl.patch ./main/perl-crypt-ssleay/libressl.patch ./main/postfix/libressl.patch ./main/python3/libressl.patch ./main/qt/qtcore-4.8.5-libressl.patch ./main/serf/libressl.patch ./main/spice-gtk/libressl.patch ./main/spice/libressl.patch ./main/strongswan/libressl.patch ./main/tlsdate/libressl-no-sslv3.patch ./main/tlsdate/libressl-sslstate.patch ./main/transmission/libressl.patch ./main/wpa_supplicant/libressl.patch ./main/xrdp/libressl-support.patch ./testing/bobcat/libressl-compatibility.patch ./testing/ejabberd/libressl.patch ./testing/imapfilter/libressl.patch ./testing/libimobiledevice/01-libressl.patch ./testing/litespeed/libressl.patch ./testing/megatools/libressl.patch ./testing/openconnect/openconnect-7.08-libressl251.patch ./testing/prayer/libressl.patch ./testing/proftpd/libressl.patch ./testing/tarantool/tests-libressl-compat.patch ./testing/x11vnc/libressl.patch It isn't just this. Qt 5.10 introduces new dependency on OpenSSL 1.1 APIs for improved security, and LibreSSL does not implement those APIs at all. Also, as mentioned in my other email, one pain point is something like mailman or taiga, which require Python Cryptography package version 1.7. This version requires OpenSSL APIs that LibreSSL removed. That'd be fine, since it could be built against OpenSSL instead, however! libressl-dev and openssl-dev conflict, and python-dev installs libressl-dev because Python is built against LibreSSL. That means you can't actually build OpenSSL-requiring Python packages at all. I'd imagine similar issues would be had with Ruby, Perl, Node, and all the rest. Certainly any Qt application that needs OpenSSL APIs (like Kleopatra, KDE's key management utility) won't be buildable as well. One question I do have is: is there a way to disable the OpenSSL compatibility in LibreSSL? It would be good for packages that require LibreSSL (libressl-dev) to be buildable even if openssl-dev is installed (preventing something like the above Python situation).
