From 24fd814c326e282c4321965c31f341dad77e270d Mon Sep 17 00:00:00 2001 From: V3n3RiX Date: Fri, 8 Jan 2021 11:28:34 +0000 Subject: gentoo resync : 08.01.2021 --- ...2021-01-05-libressl-support-discontinued.en.txt | 71 +++++++++++++++++++++ metadata/news/Manifest | 30 ++++----- metadata/news/Manifest.files.gz | Bin 10052 -> 10248 bytes metadata/news/timestamp.chk | 2 +- metadata/news/timestamp.commit | 2 +- 5 files changed, 88 insertions(+), 17 deletions(-) create mode 100644 metadata/news/2021-01-05-libressl-support-discontinued/2021-01-05-libressl-support-discontinued.en.txt (limited to 'metadata/news') diff --git a/metadata/news/2021-01-05-libressl-support-discontinued/2021-01-05-libressl-support-discontinued.en.txt b/metadata/news/2021-01-05-libressl-support-discontinued/2021-01-05-libressl-support-discontinued.en.txt new file mode 100644 index 000000000000..713d1df9abe6 --- /dev/null +++ b/metadata/news/2021-01-05-libressl-support-discontinued/2021-01-05-libressl-support-discontinued.en.txt @@ -0,0 +1,71 @@ +Title: LibreSSL support discontinued +Author: Michał Górny +Posted: 2021-01-05 +Revision: 1 +News-Item-Format: 2.0 +Display-If-Installed: dev-libs/libressl + +Starting 2021-02-01, Gentoo will discontinue supporting +dev-libs/libressl as an alternative to dev-libs/openssl. While it will +still be possible for expert users to use LibreSSL on their systems, +we are only going to provide support for OpenSSL-based systems. Most +importantly, we are no longer going to maintain downstream patches for +LibreSSL support -- it will rely on either package upstreams merging +such patches themselves, or LibreSSL upstream finally working towards +better OpenSSL compatibility. + +On 2021-02-01, we will mask the relevant USE flags and packages. If you +wish to continue using LibreSSL, you will be able to undo these masks +for the time being. However, as packages drop patching for LibreSSL +and the library is eventually removed from ::gentoo, it will become +necessary to use the user-maintained LibreSSL overlay [1]. As long-term +support for LibreSSL is not guaranteed, we recommend switching +to OpenSSL instead. More information on removal can be found +on the relevant bug [2]. + +To switch before the aforementioned date, remove 'libressl' from your +USE flags and CURL_SSL targets. Afterwards, it is recommended to +prefetch all the necessary distfiles before proceeding with the system +upgrade, in case wget(1) becomes broken in the process: + + emerge --fetchonly dev-libs/openssl net-misc/wget + emerge --fetchonly --deep --changed-use @world + +A --changed-use @world upgrade should automatically cause LibreSSL +to be replaced by OpenSSL, and all affected packages to be rebuilt: + + emerge --deselect dev-libs/libressl + emerge --changed-use --deep @world + + +LibreSSL has been forked off OpenSSL in 2014 to address a number of +problems with the original package. However, since then OpenSSL +development gained speed and the original reasons for the fork no longer +apply. Furthermore, LibreSSL started to repeatedly fall behind +and cause growing compatibility problems. While initially these +problems were related to packages using old/insecure OpenSSL APIs, today +they are mostly related to LibreSSL missing newer OpenSSL APIs +(yet declaring false compatibility with newer OpenSSL versions). + +With the little testing it gets, our developers and users had to put +a significant effort into fixing upstream packages. In some cases +(e.g. Qt), upstream has explicitly refused to support LibreSSL, forcing +us to maintain the patches forever. This in turn means that +security fixes, regular version bumps or end-user system upgrades are +often delayed because of necessary LibreSSL patching. What is even +worse, major runtime issues managed to sneak in that broke production +systems running LibreSSL in the past. + +To the best of our knowledge, the only benefit LibreSSL has over OpenSSL +right now is the additional libtls library. For this reason, we have +packaged dev-libs/libretls which is a port of this library that links +to OpenSSL. + +All these issues considered, we came to the conclusion that OpenSSL +should remain the only supported production option for Gentoo systems. +While the flexibility of Gentoo should make it possible to keep using +LibreSSL going forward, the effort necessary to provide first-class +official support for LibreSSL has proven to outweigh the benefit. + +[1] https://gitweb.gentoo.org/repo/proj/libressl.git/tree/README.md +[2] https://bugs.gentoo.org/762847 diff --git a/metadata/news/Manifest b/metadata/news/Manifest index 46214d5487e2..b9c011cfc30a 100644 --- a/metadata/news/Manifest +++ b/metadata/news/Manifest @@ -1,23 +1,23 @@ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 -MANIFEST Manifest.files.gz 10052 BLAKE2B 99d1a5eb6e8f52a0c03138f80d6ee3214b6fd76a9d85b04118722787d85ffaff446fda6c2cb93a42edc2c2ffeddb59180b86c80ad1652b7b5009e846c8db48ce SHA512 83a8845c703dd8944efcbf6eabc4222f2cb51ef3d1dda9eebbed2536bb5e1e7fa86988cf6e5ac01d1d9918874a8c3b24e2059cd904c57b2f056b8c0fdee7820d -TIMESTAMP 2021-01-01T20:38:39Z +MANIFEST Manifest.files.gz 10248 BLAKE2B 70b8b9cef9bbf0469dff0a3edb5705a982d1f0f6bce6528e5d659e4134770fe3c78fdc44245f64805b83f334a54766920f33c93c313a0b824845ac6345a34815 SHA512 62b5517f09d8e3743c8b5810ff997be14cbc7c3a7d14efefd433906fae2b2d90e396a8525177b530ebcf32147fae59a89ca91fd7e7ffc5e8f4444f220b091534 +TIMESTAMP 2021-01-08T11:08:39Z -----BEGIN PGP SIGNATURE----- -iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl/viE9fFIAAAAAALgAo +iQKTBAEBCgB9FiEE4dartjv8+0ugL98c7FkO6skYklAFAl/4PTdfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEUx RDZBQkI2M0JGQ0ZCNEJBMDJGREYxQ0VDNTkwRUVBQzkxODkyNTAACgkQ7FkO6skY -klAn7A/9F+LS8wW7Oiz4f9dopqiK+w2dqFefzBqlmvZFR2FXEM7CrCZhuIl8r50h -DpliC6flFWCUUmTAhYNduMf7BySjb4aSqqg/cQvH9iV+9knY2Hg7xAgtC6P3bO23 -L5VfzZuObfkQnEs/6yoDuGJzexZNHAB1PzoiN1QQpgAiTM6PZvUwUsFvJz5HQSds -F75R3u2/hrUEeWHuMSjYrGhRwDLRqsKOVUyw+dcV4nFgnCqSSAr83dLsLQy56kHz -Bmb5UdgNtVwK96Q1ntS4wstUxYI1YLshsSBM5I/c1Tx/qiL5lOslhn4CsmoC79gU -0/bHocsKNtLUTbfAexwmxXnXjoiV9Ivb/skvv+CKhtdCSdkYD92MXF1o04Jdw6sd -RpUDlILm3kVlR84xQwnBeTLOKvAr5WrFqAnFOpFYYeCSSDIFhdMOHqgGxhaip3JE -hpD7gLOoBIag/pKNzQ/u4dpjT7sf5QRRt1nee1NdPU7pmVbTUf/LxSASZ6SdLnon -hcFdW6gHEzUpmlLbTGwxujldanMqJc/wfoZALWARxXT0l65lS77pNqRj0hMrPPqi -ok7vPPxHIZvfFxMN6Yu84v/1ZVz5cGpY8Xg0XOoFQB1yueX3BjXYooGHSnY+8/Vx -XWGhP/l0Nhh2B8JlwG4/SkjkD1ZrYkZz/uONq6A8PzW+GBFfhd4= -=OCtm +klBenQ/9FZyBNwMsuj0vGFPHhmFRPqp5D+seTywgpVilbgRMLeYeecUPhSkVhEg7 +/bTyihjGM9GmkXoRcPE2ggOSlWpVArhg1CvNhUEW3yDuP9HJ1GmwgIAL1t6fH45o +6vmBDFcUMyPZL0IR9HKaWXTWJlLx4kkbMUJMiwl0cvZwWjudQwDAoBm52PdiZIxe +fJW2EUHJjzHUX01E359/+WHlSf6T4J1NK10XShwwOIr5nHw955gT/VFBERuxUhPN +ViSyG8ueKO47xHyYWg3NgM3DSj+Ib6Rj3QqavZS4ayfjqN/ihpTPcwyQVy7zRfdk +fmeQFsWP+Ju3y8qqzzHhsTkpwhArAXrwgzYUEIxuUj58n/UnyWA+8LE5ldGQXWaI +z80ae/kXTc6F+uI96767cvNfKahtB4Uq8BA05Zr8ObWB7uvJUSE2eTXND0sumUF+ +wAT4c41c7b3F9M6xvTVFvpnGkrvLU6lf5AGzkX4EB3FkyDQrqGzwCCdbh6/JmmfT +jtXqB/oVQ4NZMf9xWfyQSM3G5Z2jNHzOHdYbLk3FPpV1LxuVDHbOH/SjA4a/MJOF +BEWf/2BDsvwLC1f2fhRDra2d8dmgE9fSqGk0ChNhpc6tS5dKG0XqQLCZD0LUzOxO +qMNfHHDpq+XxHRPZBgslINc8kz+9pgskIbx64b52r3DSvk5cFQ4= +=KNVN -----END PGP SIGNATURE----- diff --git a/metadata/news/Manifest.files.gz b/metadata/news/Manifest.files.gz index 555674a756d4..0ea581801bb9 100644 Binary files a/metadata/news/Manifest.files.gz and b/metadata/news/Manifest.files.gz differ diff --git a/metadata/news/timestamp.chk b/metadata/news/timestamp.chk index 3f0759c50d70..81201ed971ce 100644 --- a/metadata/news/timestamp.chk +++ b/metadata/news/timestamp.chk @@ -1 +1 @@ -Fri, 01 Jan 2021 20:38:36 +0000 +Fri, 08 Jan 2021 11:08:36 +0000 diff --git a/metadata/news/timestamp.commit b/metadata/news/timestamp.commit index b97dba721917..1f85f9e7c5f2 100644 --- a/metadata/news/timestamp.commit +++ b/metadata/news/timestamp.commit @@ -1 +1 @@ -473b7ccfe355bb5572e3cecfd068c6121ed37b6f 1609463388 2021-01-01T01:09:48+00:00 +034ed5a1cd7f552e2cf130703f91b30681c47e7f 1609845379 2021-01-05T11:16:19+00:00 -- cgit v1.2.3