Re: Will Packaging BoringSSL Bring Any Trouble to the Security Team?
Moritz Mühlenhoff <jmm@inutil.org> wrote:
>> are introducing BoringSSL, a fork of OpenSSL by Google. The latest
>> Android OS and its SDK no longer use OpenSSL and they use some APIs
>> only provided by BoringSSL, hence we are bringing BoringSSL to Debian.
>> You can see the ITP at <https://bugs.debian.org/823933>.
>
> No, that's not acceptable. You can try to provide that additional APIs
> on top of OpenSSL, but we're not going to support an entire OpenSSL
> fork just for Google's NIH syndrome.
Even upstream advises against that, BTW:
Quoting from https://boringssl.googlesource.com/boringssl/:
| BoringSSL is a fork of OpenSSL that is designed to meet Google’s needs.
| Although BoringSSL is an open source project, it is not intended for general
| use, as OpenSSL is. We don’t recommend that third parties depend upon it.
| Doing so is likely to be frustrating because there are no guarantees of
| API or ABI stability.
Alternatively you could only keep it in unstable (by blocking it from
transitioning to testing with an RC bug), but that would of course keep
the Android SDK limited to sid as well (which might be acceptable given
that it's for development on a rather fast-moving target anyway).
Cheers,
Moritz
Reply to: