So, why LibreSSL went with a 2+ year old version of that file?
The LibreSSL philosophy is to (at least initially) clean up the parts of OpenSSL that are "cruft". E.g. dropping support for long-dead computer architectures and protocols, removing homebrew malloc(). Stuff like that.
The LibreSSL guys have tried to stay away from the highly tricky crypto stuff. Messing with that could have serious security implications. They can address math and crypto later. For now there's still a lot of low hanging fruit they can pick.
I'm aware of that but it seems specially interesting that they decided to go with a specific old version of some files. I don't think this kind of decision was ever made public, was it?
The general clean up idea is mentioned all over, but selecting old versions of specific files is not.
I don't think this kind of decision was ever made public, was it?
Not that I'm aware of. I follow the misc, tech, and libressl mailing lists and there seems to be a lot of OpenBSD related stuff missing from there. I think the cabal uses other, more private, more informal, means of communication for a lot of their discussions and decisions.
selecting old versions of specific files
But did they really select an old version? Rather, perhaps they just declined to pull the changes that the OpenSSL people made.
The LibreSSL philosophy is to (at least initially) clean up the parts of OpenSSL that are "cruft". E.g. dropping support for long-dead computer architectures and protocols, removing homebrew malloc(). Stuff like that.
The LibreSSL guys have tried to stay away from the highly tricky crypto stuff. Messing with that could have serious security implications. They can address math and crypto later. For now there's still a lot of low hanging fruit they can pick.