muckrights-sans-merde
bonum fabula frat
### addressing-ryans-libressl-concerns
*originally posted:* oct 2021
ryan blog posts feature heavily in muckrights this month, which means that for better or worse im subjected to them also. we are certainly fans of different things, but some of his critiques are spot-on. im happy, at least, that someone is giving debian a proper skewering now and then-- theyve certainly abandoned whatever principles made them debian many years ago; but that much isnt news. if you read ryans posts, some of those do actually contain news. his blog probably has more focus on current events than muckrights or ewwfs.
i dont think ryan shares roys absurd (and fact-free) anti-openbsd bent, which means the following mistake im going to address is probably an honest one. i wont even go out of my way to refute it-- my retort is probably good enough, we will find out later. after all, a simple and honest mistake typically doesnt need to be taken down with both barrels: http://techrights.org/2021/10/12/windows-nsa/
> Some GNU/Linux distros tried switching to LibreSSL, but that turned out to be an even bigger disaster in some ways because the OpenBSD people consider the Apache 2 license to be “non-Free” because it doesn’t allow patent trolls to give you a program and then sue you for using it, and since OpenSSL is now under that license,
this isnt something that openbsd and i fully agree on, but they have a commitment to their users to protect them from copyleft and contract-like licenses. i honestly think its probably a bit dubious and naive on their part, but since im not an expert on licenses or contracts, its hard to say for sure.
i do know that licenses and contracts work differently, and i do know that openbsd goes to great lengths (and also fails to some degree) to provide a contract-free system-- while copylefted systems go in another direction entirely, and try to solve patent issues (its probably good that they do-- even gpl2 did implicitly).
i personally have nothing against apache 2, ive even defended it this year. though these days the copyleft license i lean the closest to promoting is agpl3-- i promote a large project that promotes agpl3 heavily. and i think agpl3 is probably better than apache 2.
while im willing to quibble with the phrasing in the above half-paragraph, the part i really wanted to address was this:
> it means they can’t just pull code from it, and pretty much all hope of remaining API/ABI compatible or something close to it went out the window.
abi compatibility was never promised in the first place, and libressl is a fork. years from now, probably nobody is going to care about openssl compatibility-- theyll be used to libressl requiring certain conventions, as it always has; and theyll be used to openssl being increasingly awful, insecure and unusable. they still have a choice.
libressl has promised certain amounts of api compatibility on the other hand, and theres no reason to assume that not being able to grab code directly from openssl will change this (certainly not entirely). libressl was forked to make certain design decisions differently, its api compatibility doesnt depend entirely on code from openssl in the first place, and projects like libressl ultimately have a comparable ability to attract developers who know what theyre doing as openssl ultimately will.
consider the number of free/open apis that have been reimplemented, regardless of codebase or license compatibility already. i dont know why ryan hasnt. since (even as an honest mistake) his argument is at least a bit of a straw man, im going to also make a bit of a straw man here, though its mostly to illustrate (and exaggerate) the fallacy hes using:
imagine someone looking at libreoffice years ago, and saying "now that openoffice has switched to a proprietary license, libreoffice will never be able to load and save odf properly".
its a straw man, but its not too far off: libreoffice is where the best developers went (i say this objectively, not as a fan-- not even a user-- of libreoffice) and odf is not something that libreoffice developers need openoffice developer help with. unlike libreoffice, libressl wasnt even forked over a license issue, but security problems that went too far for too long, and libressl aims to be higher-quality, higher-reliability software, from people with a (relatively) no-bullshit reputation.
i dont think ryan is doing libressl real justice here, but he could still be right in the long run and hes certainly entitled to an opinion. thats what blogs (and websites like this one) are for. sadly, roy is probably going to take every critique ryan does make of openbsd (accurate, speculative, or otherwise) and run as far with it as he can-- he has already done so with my own research, misusing, misattributing and misrepresenting it for his own petty reasons.
none of which is ryans fault, but i hope he wont give roy needless anti-openbsd ammunition. when it comes to slagging off openbsd, roy doesnt care about facts in the slightest. he didnt even care about slagging openbsd, until i started saying good things about it.
as to whether commenting on ryans posts is to become a regular feature-- id rather avoid it when possible. we have different goals and different approaches, and while defending openbsd from bullshit on muckrights is one of the goals of this website, ive already seen ryan say perfectly reasonable things about openbsd on his blog. hes definitely not the reason this website exists, nor do i think thats likely to change; not much, at least.
=> https://muckrights-sans-merde.neocities.org