Motivation for this change

LibreSSL 2.7 has been released in March. Since 2.6.4, a memory leak, null check, and tls_config_clear_keys() bug have been fixed, apart from other improvements.

The releases page states:

LibreSSL transitions to a new stable release branch every 6 months in coordination with the OpenBSD development schedule. LibreSSL stable branches are updated for 1 year after their corresponding OpenBSD branch is tagged for release.

If I understand correctly, this means that 2.5 is no longer supported, as 2.5.3 was tagged for OpenBSD 6.1 on April 11th, 2017, and OpenBSD 6.2 included LibreSSL 2.6.3. However, previous release notes of 2.6.3 and 2.5.3 also include “LibreSSL 2.4.x support has also ended” and “LibreSSL 2.3.x support has also ended”. The release notes of 2.7.2 (that goes with OpenBSD 6.3) did not include such a statement. I am not sure whether this is intentional, or an oversight in the release notes. In any case, it would probably be a good idea to update the default libressl to a newer version in the future.

Things done

• Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
• Built on platform(s)
  • NixOS
  • macOS
  • other Linux distributions
• Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
• Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
• Tested execution of all binary files (usually in ./result/bin/)
• Fits CONTRIBUTING.md.

The contributing guidelines say to also update the license field, but the situation for LibreSSL is complicated, I am not really sure what to put there.