| 1 |
On Wed, 30 Sep 2015 15:22:40 +0200 hasufell wrote: |
| 2 |
> On 09/30/2015 02:10 PM, Kristian Fiskerstrand wrote: |
| 3 |
> > On 09/30/2015 01:51 PM, Rich Freeman wrote: |
| 4 |
> > |
| 5 |
> >> I think it was fair to pause to see if somebody could come up with |
| 6 |
> >> a better solution that allows co-existence, but absent that I |
| 7 |
> >> don't see any benefit from keeping libressl out of the tree. |
| 8 |
> >> We'll just experience all the downsides of the fork without the |
| 9 |
> >> upsides. |
| 10 |
> > |
| 11 |
> > This is what worries me as well, as it increase workload and |
| 12 |
> > complexity affecting multiple projects without any immediate and |
| 13 |
> > obvious gain. |
| 14 |
> > |
| 15 |
> |
| 16 |
> I'm not sure if you have followed the link I just posted: |
| 17 |
> https://en.wikipedia.org/wiki/LibreSSL#Security_and_vulnerabilities |
| 18 |
> |
| 19 |
> 0 vs 5 high severity vulnerabilities is a pretty obvious gain. |
| 20 |
|
| 21 |
This is a poor argument, because user base of libressl is much |
| 22 |
smaller than of openssl, so probability of undiscovered issues is |
| 23 |
higher for libressl than for openssl. Yes, libressl is good at |
| 24 |
fixing openssl long-standing issues (e.g. dropping outdated code), |
| 25 |
but they may have their own critical vulnerabilities in some new |
| 26 |
functions, not present in openssl. Anyway diversity is very good |
| 27 |
for security: not everything will be affected by critical issues. |
| 28 |
|
| 29 |
The only thing bothers me that we will end up with two major |
| 30 |
packages demanding ssl implementation which can't be installed at |
| 31 |
the same time. While for now we tend to postpone solution of such |
| 32 |
problem, it is only matter of time when we'll face it. Perhaps |
| 33 |
static linking for one of the libraries will do the job, despite |
| 34 |
it sounds crasy. |
| 35 |
|
| 36 |
Still, we can go ahead and introduce some mechanism forcing static |
| 37 |
linking with libressl for consumer apps if user demands this. |
| 38 |
|
| 39 |
Best regards, |
| 40 |
Andrew Savchenko |
Archives