openssl vs. libressl

Ryan Schmidt ryandesign at
Wed Nov 11 03:56:45 PST 2015

On Nov 10, 2015, at 6:11 AM, René J.V. Bertin wrote:

> On Tuesday November 10 2015 04:46:50 Ryan Schmidt wrote:
>>> No, but if the ABIs are indeed not compatible there is no other solution, is there?
>> What has currently be done with libressl in MacPorts is a bug, not a solution.
> ?? Why?
> It leaves the educated user with a choice regardless of which of openssl or libressl is the default/preferred flavour. That is always a good thing IMHO.

It is a bad thing when users who exercise a choice run into problems that they don't understand, which causes things not to work for them, which causes them to contact us, which increases our support burden, e.g.:

It is better to offer fewer (or no) choices if that means a higher likelihood that things will just work.

>> It might be better to take the choice away from the user and just make a decision that we want libressl to be our default ssl library in MacPorts. Change the libressl and openssl ports so that they do not conflict, but rather install in different locations.
> You think that won't impose extra effort on port maintainers? It seems *ssl is expected to be found via pkgconfig; as long as dependent ports aren't all written to search for either libressl or openssl (and the projects themselves modified to support parallel installation OOTB) you're still going to have the need for libssl.pc and libcrypto.pc files. Those must either be in the "global" pkgconfig directory, or else you'll need to use `configure.env` to point to the dedicated pkgconfig dir of current choice, which means introducing and maintaining a PortGroup.

So put the "default" ssl implementation in the default location, and put the other one some place else for those few ports that actually need the other one.

> What would the argument be to switch MacPorts to use libressl by default?

They seem to have good goals:

It should result in a better ssl library, with fewer opportunities for vulnerabilities to be discovered, which should be good for everyone.

But if we're not interested in making libressl a prominent part of MacPorts, why was it added to MacPorts?

It was originally requested by someone who wanted to use libressl as a replacement for openssl in all ports:

More information about the macports-users mailing list