LibreSSL by default

Yes, there could be a fake openssl-dev package. But this also needs a plan how to undo these for users who upgrade which is hard once there is a higher version number installed fake package. More and more hacks piling up until I cannot see through anymore.

Unknown.

Depending on the bug, it doesn’t just need reporting, depending on the gravity of the bug, it would either require fixing (which I could not) or reverting to openssl.

Debian doesn’t just need suggestions, they need contributions.

I haven’t seen anyone trying to contribute this to debian and hitting a wall yet.

2 Likes

LibreSSL might have similar APIs as OpenSSL but simply replacing the OpenSSL libraries with LibreSSL libraries and preserving the old names of the libraries in system without changing the code and recompiling the user program might not work as expected. It depends on implementation and compilation details and needs to be actually tested.

It would also help to ask LibreSSL developers explicitly if replacing the OpenSSL files which previously were provided by OpenSSL such as /usr/lib/x86_64-linux-gnu/libssl.so.1.1 is supported / sane / expected or if recompilation is advised.

LibreSSL was forked from OpenSSL in 2014. In these 6 years since, has one project have had a better track record then the other?

This would need some more citations. Also major distributions switching to LibreSSL or at least discussing this would help.

LibreSSL sounds really good indeed:

LibreSSL - Wikipedia

But things need to be done the correct™ way:

1 Like

Within 1 year, LibreSSL mitigated plenty of vulnerabilities (including 5 critical ones) which OpenSSL was affected by.

https://www.openbsd.org/papers/libtls-fsec-2015/mgp00005.html

Dunno what the current total of vulnerabilities mitigated is but I expect it to be quite high.

1 Like

void deprecate libressl and switch back to openssl:

1 Like