[Pkg-openssl-devel] Any intent to maintain quictls ?

Wed Oct 27 11:05:09 BST 2021

Hello, like many other opensource project maintainers [1], I was particularly disappointed by the OpenSSL team finally giving up on QUIC support for the short term, leaving many projects without any reasonable solution for more years to come [2]. Right now everyone's work seems to be based on either BoringSSL (which doesn't provide any stable branch because it's not the project's goal), or quictls [3], which is a maintained fork of OpenSSL, and was the subject of the PR created 2.5 years ago that OpenSSL finally decided to give up on. My concerns are that the only practical solution for HTTP implementers now will be to build their SSL library themselves, and very likely to ship static builds to ease the task for end users, which will be terrible in terms of security updates. And even if a few users decide to build quictls by themselves, maintaining such a package is not an easy task that should be taken lightly, and we all know how it ends up: updates are performed at the beginning, and then once everything works and due to lack of time, the library is no more updated. Given that quictls is provided as a constantly rebased patchset on top of the regular openssl tree, wouldn't it make sense for distro packagers to provide them both, maybe the regular openssl package and the one supporting QUIC ? The maintenance effort regarding security updates would essentially be the same since the code base would be the same, it would "just" require to update the two packages each time some fixes have to be applied. I'm well aware that it would add some maintenance burden, but if the OpenSSL project team decides to ignore users requests for several years, it's cornering itself out of the real world needs unfortunately, and I'm afraid we'll have to deal with another libressl-like episode, or worse, self-maintenance. That's why I'm asking about package maintainers' opinion here. Thanks, Willy Tarreau - haproxy maintainer (PS: please keep me CCed, I'm not on the list) --- [1] https://github.com/openssl/openssl/pull/8797#issuecomment-942442176 [2] https://www.mail-archive.com/openssl-project@openssl.org/msg02585.html [3] https://github.com/quictls/openssl