Their logic is a bit weird to me, I would definitely choose a fork from professional that re-write everything with a security perspective, over a bad library trying to be hardened .
The Void conundrum is that most software does not support LibreSSL's APIs, and that is especially rough because Void is rolling release. OpenBSD does not write patches for the latest Qt release, so people with little crypto experience have to write those patches.
Which is a bizarre statement, all ports development happens on the OpenBSD -current branch, which is effectively a rolling release for developers/users running snapshots.
All of those projects that switched were simply expecting LibreSSL/OpenBSD to upstream support, when it hasn't got nearly the same numbers of developers.
Also, there were other problems with updating Qt on OpenBSD, but that was resolved. It is maintained by a single developer.
LibreSSL has all of the same problems as OpenSSL. It's just a fork from an earlier point in time before OpenSSL did it's big rewrite that came with OpenSSL 1.1.1.
I gather that LibreSSL has an (unintended) OpenSSL dependency?
"LibreSSL is composed of four parts:
- The openssl(1) utility, which provides tools for managing keys, certificates, etc.
- libcrypto: a library of cryptography fundamentals
- libssl: a TLS library, backwards-compatible with OpenSSL
- libtls: a new TLS library, designed to make it easier to write foolproof application"
No, LibreSSL is a fork of OpenSSL that predates this vulnerability, it even predates the OpenSSL 1.1.x API break (some compatibility has since been added), and has an entirely separate and new TLS 1.3 implementation.
In a sane world, everybody would have switched to libressl ages ago.