Moving Back To OpenSSL
Void Linux recently announced
that they were going to move back to OpenSSL after originally switching to
LibreSSL in 2014.
It seems that there are a lot of things at play here.
It seems that the main focus of the recent announcement is on the maintainability
and other difficulties of not using the one true SSL/TLS library. To me,
this pragmatically makes sense. However, every time something like this happens
I get this lingering feeling of worry…
Microsoft moving their default browser from their own implementation to
Chromium, and other browsers following suit.
Linux distributions moving en masse to systemd.
Distributed email being slowly crushed and killed by Google with GMail.
And many other examples that aren’t immediately coming to mind.
I think it’s great that OpenSSL as a project has made a comeback from the
Heartbleed fiasco, and that it is apparently more actively developed nowadays,
but the fact that we are even at the point of moving back to OpenSSL due to
difficulties with building software is worrying. To me, it looks like a
symptom of software becoming too entrenched and dependent on a single piece
This kind of accusation coming from anyone is going to be hypocritical, since
we all depend on Linux, X11, Wayland, systemd, or some common piece of software
that we take for granted and don’t lose sleep over. However, I think what’s
categorically different about this one is that an alternative was adopted,
worked on, but eventually “failed” (at least for Void, but also possibly for
Linux as well).
I don’t know what the fix for this specific issue would be. I’m not nearly
familiar enough with SSL/TLS or how you would develop software to be agnostic
of dependencies like this. But I think in order to honor principles like
the Unix philosophy, the KISS principle, and countless others, we need to
figure out a way to be more modular for dependency issues like this.