Hi, jpbion@xxxxxxxxxx wrote on Wed, Oct 18, 2017 at 05:53:21AM -0700: > 4) As a first result, with no judgement on anyone, just looking at the > data - the root cause of this issue seems to be the split of LibreSSL > from OpenSSL No, you are totally misrepresenting the situation. The root cause is the split of OpenSSL-1.1 from OpenSSL-1.0, and that OpenSSL dumped the large and dangerous work of dealing with the large-scale API change on each and every application project instead of providing an official transition path that can be taken seriously. LibreSSL has almost nothing to do with the problem. Even if LibreSSL had never happened, the same problem would still exists. Oh, wait, LibreSSL has to do with it in one sense. It is available as one possible way to *solve* the problem. Either temporarily or for good, whichever you like. > OpenSSL and LibreSSL, given the fact neither seems to have a desire > to maintain compatibility with the other (again, as far as I can see). That is an unfounded allegation. Of course LibreSSL has a desire to eventually integrate the 1.1 API. Joel has said so long ago, in public, that in principle, opaque structs are a good concept [for example citation 1: Dec 30, 2016], and i have heard repeated discussions inside the LibreSSL project on how to get there. It is just a lot of work, it is made harder by the lack of a clear migration path, and it is of limited usefulness as long as application programs must still support the OpenSSL-1.0 API. That's what prevented it from getting done so far. Given that you got the facts wrong, your conclusions are misleading as well. All this was explained already, so your mail sounds almost trollish: It should already be well-known that the central design goal of LibreSSL is to be a compatible drop-in replacement for OpenSSL - at the time of the fork, that was OpenSSL-1.0. If, after the fork, OpenSSL breaks its own API and leaves users in the rain, blaming that on LibreSSL is quite dishonest. Even if the API break is so severe that it takes LibreSSL substantially more than a year to deal with it, even if LibreSSL hasn't yet solved the problem for its own purposes. The real problem is: How is OpenSSH supposed to support OpenSSL-1.0 and OpenSSL-1.1 at the same time, given that the API break is so severe that switching from one to the other requires a 3000+ line diff? Yours, Ingo [1] https://www.mail-archive.com/tech@xxxxxxxxxxx/msg36437.html _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev