1 |
On Wed, 04 Mar 2015 14:49:02 -0500 Anthony G. Basile wrote: |
2 |
> On 03/04/15 13:50, hasufell wrote: |
3 |
> > As one of the contributors of the gentoo libressl ebuild overlay [0] |
4 |
> > I've been asked to retweet the libressl/openbsd call for donation in |
5 |
> > 2015 [1]. |
6 |
> > |
7 |
> > Since a lot of people think of gentoo in terms of "freedom of choice", I |
8 |
> > think the gentoo community might be interested to endorse the efforts of |
9 |
> > the libressl developers. |
10 |
> > |
11 |
> > I don't intend to regularly post fundraising requests, but since openssl |
12 |
> > is such a fundamental part of our operating system and internet |
13 |
> > security, I guess it makes sense to raise awareness here. |
14 |
> > |
15 |
> > |
16 |
> > -- |
17 |
> > [0] https://github.com/gentoo/libressl |
18 |
> > [1] http://www.openbsdfoundation.org/campaign2015.html |
19 |
> > |
20 |
> |
21 |
> Thanks you for posting this. I understand and share your caution about |
22 |
> posting about fundraisers, but there are a few issues worth |
23 |
> "retweeting". I think this is one. |
24 |
> |
25 |
> openssl + heartbleed and all that made me aware how tenuous some |
26 |
> critical opensource projects are. Another example is bash. Yet another |
27 |
> is gpg. Its good to get the word out. |
28 |
|
29 |
The fact that closed projects don't disclosure such vulnerability |
30 |
information doesn't imply there are none there. And the fact that |
31 |
there is no public audit of the code implies that code quality is |
32 |
much worse, so more critical bugs are there. |
33 |
|
34 |
As for libressl, idea of the project is good, but what worries me |
35 |
that it is API incompatible with other solutions. So it can't be |
36 |
used as a drop-in replacement for openssl or other implementations. |
37 |
This way more resources are being dispersed for nothing. |
38 |
|
39 |
Best regards, |
40 |
Andrew Savchenko |