| 1 |
On Wed, 04 Mar 2015 14:49:02 -0500 Anthony G. Basile wrote: |
| 2 |
> On 03/04/15 13:50, hasufell wrote: |
| 3 |
> > As one of the contributors of the gentoo libressl ebuild overlay [0] |
| 4 |
> > I've been asked to retweet the libressl/openbsd call for donation in |
| 5 |
> > 2015 [1]. |
| 6 |
> > |
| 7 |
> > Since a lot of people think of gentoo in terms of "freedom of choice", I |
| 8 |
> > think the gentoo community might be interested to endorse the efforts of |
| 9 |
> > the libressl developers. |
| 10 |
> > |
| 11 |
> > I don't intend to regularly post fundraising requests, but since openssl |
| 12 |
> > is such a fundamental part of our operating system and internet |
| 13 |
> > security, I guess it makes sense to raise awareness here. |
| 14 |
> > |
| 15 |
> > |
| 16 |
> > -- |
| 17 |
> > [0] https://github.com/gentoo/libressl |
| 18 |
> > [1] http://www.openbsdfoundation.org/campaign2015.html |
| 19 |
> > |
| 20 |
> |
| 21 |
> Thanks you for posting this. I understand and share your caution about |
| 22 |
> posting about fundraisers, but there are a few issues worth |
| 23 |
> "retweeting". I think this is one. |
| 24 |
> |
| 25 |
> openssl + heartbleed and all that made me aware how tenuous some |
| 26 |
> critical opensource projects are. Another example is bash. Yet another |
| 27 |
> is gpg. Its good to get the word out. |
| 28 |
|
| 29 |
The fact that closed projects don't disclosure such vulnerability |
| 30 |
information doesn't imply there are none there. And the fact that |
| 31 |
there is no public audit of the code implies that code quality is |
| 32 |
much worse, so more critical bugs are there. |
| 33 |
|
| 34 |
As for libressl, idea of the project is good, but what worries me |
| 35 |
that it is API incompatible with other solutions. So it can't be |
| 36 |
used as a drop-in replacement for openssl or other implementations. |
| 37 |
This way more resources are being dispersed for nothing. |
| 38 |
|
| 39 |
Best regards, |
| 40 |
Andrew Savchenko |
Archives