Hi, On Wed, 30 Sep 2015 15:58:34 -0400 Rich Freeman wrote: > On Wed, Sep 30, 2015 at 3:29 PM, Anthony G. Basile <bluen...@gentoo.org> > wrote: > > @rich0. Just a side comment. You said somewhere that maybe apache will > > choose openssl and postfix libressl and then we'll be in trouble. No. The > > incompatibility is at the abi not api level. So, for example, some struct > > size might be different between the two because of internal implementation > > details, but both should provide a definition of the same struct in their > > header with the same members. ie. apache should compile against either > > openssl or libressl and work, you just can't swap out your libssl without > > recompiling apache which you could do if you had full api compat. > > I agree with this as long as both projects maintain API compatibility. > Whether that happens remains to be seen. If openssl adds a new > feature and libressl decides that is a "bad feature" or libressl adds > a new feature and openssl doesn't have the manpower to keep up, or > whatever, then we'll start seeing things break, and then everybody > gets to pick sides.
They are already not API compatible: 1. LibreSSL added new features and interfaces: https://en.wikipedia.org/wiki/LibreSSL#Added_features 2. Some old features are removed: https://en.wikipedia.org/wiki/LibreSSL#Added_features Most notably SSLv3 and MD5 support cancelled, while they are indeed not secure, some apps are likely still depend on them. So it is only matter of time Best regards, Andrew Savchenko
pgpam1qYnLi8Y.pgp
Description: PGP signature
