Re: OpenSSL in the FreeBSD base system / FreeBSD 14
- In reply to: Dimitry Andric : "Re: OpenSSL in the FreeBSD base system / FreeBSD 14"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 24 Apr 2023 15:37:55 UTC
Dimitry Andric wrote: > On 24 Apr 2023, at 16:39, Warner Losh wrote: >> >> On Mon, Apr 24, 2023, 8:33 AM Charlie Li wrote: >> OpenSSL 3 is a major, even larger than 1.1, API/ABI change. Quite a bit >> of stuff will be broken today. The effort here has to include working >> with as many port upstreams as possible to force the issue, as they may >> not hold OpenSSL 3 compatibility to be an immediate priority; patching >> ports on a large scale like this is not sustainable. >> >> So why can't ports like this use 1.1 as a port rather than from base? For API compatibility, you might as well use ports LibreSSL as the fallback. From direct experience helping various OpenSSL-type consumers maintain LibreSSL support, pretty much every issue stemmed from two causes: OpenSSL implementing *new* features that LibreSSL was not yet ready for, or LibreSSL intentionally not implementing certain features due to governmental export control laws and regulations. > > Trouble starts when you attempt to mix openssl 1.1 and 3.0 libraries > (both dynamic and static!) in dependent ports, because symbol names will > collide. > Exactly. This also applies to LibreSSL. > This is not an easily solvable problem, apart from the fact that an > openssl 1.1 port would have the same basic issue that openssl 1.1 in the > base system has: it will no longer be supported (at least without paying > up) after $CUTOFF_DATE. > And I expect the OpenSSL 1.1 port to be removed around that time. > The rest of the open source world has exactly the same problem of > course, so either all abandoned openssl-1.x using programs have to be > completely ditched, or you have to keep openssl-1.x on life support > somehow. Guess what will happen. :) > > I think it is likely that this will be a repeat of the Python 2.x > debacle, e.g. against better judgement everybody will just keep on > using the deprecated version for years, and it may never fade out > completely... > The OpenSSL situation is a bit more manageable than the transition away from Python 2. Compared to an entire language incompatibility (particularly with string handling), many OpenSSL-type consumers use small pieces of functionality (archivers/libzip comes to mind). -- Charlie Li …nope, still don't have an exit line.