Joel Beckmeyer's Homepage

Moving Back To OpenSSL


Void Linux recently announced that they were going to move back to OpenSSL after originally switching to LibreSSL in 2014. It seems that there are a lot of things at play here.

It seems that the main focus of the recent announcement is on the maintainability and other difficulties of not using the one true SSL/TLS library. To me, this pragmatically makes sense. However, every time something like this happens I get this lingering feeling of worry…

Microsoft moving their default browser from their own implementation to Chromium, and other browsers following suit.

Linux distributions moving en masse to systemd.

Distributed email being slowly crushed and killed by Google with GMail.

And many other examples that aren’t immediately coming to mind.

I think it’s great that OpenSSL as a project has made a comeback from the Heartbleed fiasco, and that it is apparently more actively developed nowadays, but the fact that we are even at the point of moving back to OpenSSL due to difficulties with building software is worrying. To me, it looks like a symptom of software becoming too entrenched and dependent on a single piece of software.

This kind of accusation coming from anyone is going to be hypocritical, since we all depend on Linux, X11, Wayland, systemd, or some common piece of software that we take for granted and don’t lose sleep over. However, I think what’s categorically different about this one is that an alternative was adopted, worked on, but eventually “failed” (at least for Void, but also possibly for Linux as well).

I don’t know what the fix for this specific issue would be. I’m not nearly familiar enough with SSL/TLS or how you would develop software to be agnostic of dependencies like this. But I think in order to honor principles like the Unix philosophy, the KISS principle, and countless others, we need to figure out a way to be more modular for dependency issues like this.