1 |
On Wed, 30 Sep 2015 15:22:40 +0200 hasufell wrote: |
2 |
> On 09/30/2015 02:10 PM, Kristian Fiskerstrand wrote: |
3 |
> > On 09/30/2015 01:51 PM, Rich Freeman wrote: |
4 |
> > |
5 |
> >> I think it was fair to pause to see if somebody could come up with |
6 |
> >> a better solution that allows co-existence, but absent that I |
7 |
> >> don't see any benefit from keeping libressl out of the tree. |
8 |
> >> We'll just experience all the downsides of the fork without the |
9 |
> >> upsides. |
10 |
> > |
11 |
> > This is what worries me as well, as it increase workload and |
12 |
> > complexity affecting multiple projects without any immediate and |
13 |
> > obvious gain. |
14 |
> > |
15 |
> |
16 |
> I'm not sure if you have followed the link I just posted: |
17 |
> https://en.wikipedia.org/wiki/LibreSSL#Security_and_vulnerabilities |
18 |
> |
19 |
> 0 vs 5 high severity vulnerabilities is a pretty obvious gain. |
20 |
|
21 |
This is a poor argument, because user base of libressl is much |
22 |
smaller than of openssl, so probability of undiscovered issues is |
23 |
higher for libressl than for openssl. Yes, libressl is good at |
24 |
fixing openssl long-standing issues (e.g. dropping outdated code), |
25 |
but they may have their own critical vulnerabilities in some new |
26 |
functions, not present in openssl. Anyway diversity is very good |
27 |
for security: not everything will be affected by critical issues. |
28 |
|
29 |
The only thing bothers me that we will end up with two major |
30 |
packages demanding ssl implementation which can't be installed at |
31 |
the same time. While for now we tend to postpone solution of such |
32 |
problem, it is only matter of time when we'll face it. Perhaps |
33 |
static linking for one of the libraries will do the job, despite |
34 |
it sounds crasy. |
35 |
|
36 |
Still, we can go ahead and introduce some mechanism forcing static |
37 |
linking with libressl for consumer apps if user demands this. |
38 |
|
39 |
Best regards, |
40 |
Andrew Savchenko |