blog/public/posts/moving_back_to_openssl/index.html

87 lines
3.9 KiB
HTML
Raw Normal View History

2021-01-29 00:00:00 -05:00
<!DOCTYPE html>
<html class="no-js" lang="en-us" prefix="og: http://ogp.me/ns# fb: http://ogp.me/ns/fb#">
<head>
<meta charset="utf-8">
<base href="https://beckmeyer.us/">
<meta name="viewport" content="width=device-width">
<title>Moving Back To OpenSSL &ndash; Joel Beckmeyer&#39;s Blog</title>
<link rel="stylesheet" href="/css/styles.css">
<link id="theme_css" rel="stylesheet" href="/css/themes/light.css">
</head>
<body>
<input class="show-hide-menu-input" style="display:none;" autocomplete="off" type="checkbox" id="toggle-1">
<div class="main">
<div class="header">
<div class="header-content">
<div class="title">
<a href="https://beckmeyer.us/">Joel Beckmeyer&#39;s Blog</a>
</div>
<div>
<div class="header-right">
<label id="show-hide-menu-label" class="clickable-header-label" for="toggle-1">
<img class="color-adapting-image" width="30" src="/images/hamburger.svg" alt="menu button">
</label>
</div>
<label class="overlay" for="toggle-1"></label>
<div class="dont-show">
Links:
</div>
<ul class="links">
<li><a href="/">Home</a></li>
<li><a href="/contact/">Contact</a></li>
<li><a href="/posts/">Posts</a></li>
</ul>
</div>
</div>
</div>
<div class="body">
<div class="body-content">
<div class="title-header">
<h1>Moving Back To OpenSSL</h1>
<div class="title-header-date">
<time>Monday, March 22, 2021</time>
</div>
</div>
<p>Void Linux <a href="https://voidlinux.org/news/2021/02/OpenSSL.html">recently announced</a>
that they were going to move back to OpenSSL after originally <a href="https://voidlinux.org/news/2014/08/LibreSSL-by-default.html">switching to
LibreSSL in 2014</a>.
It seems that there are a lot of things at play here.</p>
<p>It seems that the main focus of the recent announcement is on the maintainability
and other difficulties of not using the <em>one true SSL/TLS library</em>. To me,
this pragmatically makes sense. However, every time something like this happens
I get this lingering feeling of worry&hellip;</p>
<p>Microsoft moving their default browser from their own implementation to
Chromium, and other browsers following suit.</p>
<p>Linux distributions moving <em>en masse</em> to <strong>systemd</strong>.</p>
<p>Distributed email being slowly crushed and killed by Google with GMail.</p>
<p>And many other examples that aren&rsquo;t immediately coming to mind.</p>
<p>I think it&rsquo;s great that OpenSSL as a project has made a comeback from the
Heartbleed fiasco, and that it is apparently more actively developed nowadays,
but the fact that we are even at the point of moving back to OpenSSL due to
difficulties with building software is worrying. To me, it looks like a
symptom of software becoming too entrenched and dependent on a single piece
of software.</p>
<p>This kind of accusation coming from anyone is going to be hypocritical, since
we all depend on Linux, X11, Wayland, systemd, or some common piece of software
that we take for granted and don&rsquo;t lose sleep over. However, I think what&rsquo;s
categorically different about this one is that an alternative was adopted,
worked on, but eventually &ldquo;failed&rdquo; (at least for Void, but also possibly for
Linux as well).</p>
<p>I don&rsquo;t know what the fix for this specific issue would be. I&rsquo;m not nearly
familiar enough with SSL/TLS or how you would develop software to be agnostic
of dependencies like this. But I think in order to honor principles like
the Unix philosophy, the KISS principle, and countless others, we need to
figure out a way to be more modular for dependency issues like this.</p>
</div>
</div>
</div>
<hr class="dont-show">
<div class="footer">
<p>Have any questions? Let me know on <a href="https://matrix.to/#/@joel:thebeckmeyers.xyz">Matrix</a>, or start a discussion on <a href="https://social.beckmeyer.us/TinfoilSubmarine">Fediverse</a>!</p>
</div>
</body>
</html>