(Re-sent as I used the wrong account before - edited slightly)
I’m sorry you see my post as potentially trollish - it was not meant
that way. So let me try to restate things.
I have nothing against libreSSL, and I do think the OpenSSL api change
was poorly executed. I am just speaking, as a solo semi retired
hobbyist, who spends most of his server coding time on private weather
station software, (I don’t do this stuff for work - this is all on my
own time) I feel really left in a bind. OpenSSH is a fantastic tool, but
I worry I will end up not being able to use it. I am not on all the
mailing lists - this is why I repeatedly said “as far as I can see”
acknowledging my limited knowledge of the details. The end users of
these tools have been dealing with the nightmare of the OpenSSL changes
for about a year now. Nor do I see this as anyone’s “fault” - except as
I said OpenSSL created a pile of work for everyone.
The real point of my note is: I don’t see OpenSSL and LibreSSL merging
any time soon. Even if libreSSL puts in opaque structures, what if the
two teams view ways to handle the issues of 2018, and beyond
differently? Is API comparability, a goal at the start, going to remain
a primary goal of both teams, especially if one of the two teams make
choices seen as ill-founded by the other? I don’t know - so I ask - and
without knowing, I worry that more API divergence will occur. Again, the
OpenSSL changes were a huge gulp - and others may question the wisdom of
staying in lock-step to those changes. As a result, i worry if it will
be possible to maintain software, over time, that supports both variants
of SSL stack. As such, I worry if a day comes that I can’t use openssh,
because too many other things I depend upon CAN'T use libreSSL.
Please tell me where this core concern of mine is misplaced - because I
would surely like my concern to be ill-founded and mistaken.
On 2017-10-18 07:15, Ingo Schwarze wrote:
Hi,
jpbion@xxxxxxxxxx wrote on Wed, Oct 18, 2017 at 05:53:21AM -0700:
4) As a first result, with no judgement on anyone, just looking at the
data - the root cause of this issue seems to be the split of LibreSSL
from OpenSSL
No, you are totally misrepresenting the situation. The root cause
is the split of OpenSSL-1.1 from OpenSSL-1.0, and that OpenSSL
dumped the large and dangerous work of dealing with the large-scale
API change on each and every application project instead of providing
an official transition path that can be taken seriously.
LibreSSL has almost nothing to do with the problem. Even if LibreSSL
had never happened, the same problem would still exists.
Oh, wait, LibreSSL has to do with it in one sense. It is available
as one possible way to *solve* the problem. Either temporarily or
for good, whichever you like.
OpenSSL and LibreSSL, given the fact neither seems to have a desire
to maintain compatibility with the other (again, as far as I can see).
That is an unfounded allegation. Of course LibreSSL has a desire
to eventually integrate the 1.1 API. Joel has said so long ago,
in public, that in principle, opaque structs are a good concept
[for example citation 1: Dec 30, 2016], and i have heard repeated
discussions inside the LibreSSL project on how to get there. It
is just a lot of work, it is made harder by the lack of a clear
migration path, and it is of limited usefulness as long as application
programs must still support the OpenSSL-1.0 API. That's what
prevented it from getting done so far.
Given that you got the facts wrong, your conclusions are misleading
as well. All this was explained already, so your mail sounds almost
trollish: It should already be well-known that the central design
goal of LibreSSL is to be a compatible drop-in replacement for
OpenSSL - at the time of the fork, that was OpenSSL-1.0. If, after
the fork, OpenSSL breaks its own API and leaves users in the rain,
blaming that on LibreSSL is quite dishonest. Even if the API break
is so severe that it takes LibreSSL substantially more than a year
to deal with it, even if LibreSSL hasn't yet solved the problem for
its own purposes.
The real problem is: How is OpenSSH supposed to support OpenSSL-1.0
and OpenSSL-1.1 at the same time, given that the API break is so
severe that switching from one to the other requires a 3000+ line
diff?
Yours,
Ingo
[1] https://www.mail-archive.com/tech@xxxxxxxxxxx/msg36437.html
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev