Em fevereiro 11, 2017 6:36 Pierre Schmitz escreveu:
For now I'd like to keep openssl. This might change when upstream projects might switch to libressl. ATM I do not see an objective reason to do so. If it is a drop in replacement a separate package could be provided.
Sure, as I said, it was just an idea. LibreSSL is mostly a drop-in replacement, I was taking some time to analyze void and alpine switch and they had some issues that they sorted out. OpenBSD had the same issue with their ports (several patches were sent upstream) and they detected several poorly usage of the OpenSSL library. Some of the poor usage was bad coding practices, and some was because the library itself allowed. I think most upstream projects won't change to LibreSSL, either OpenSSL compatible, or their libtls, for lack of interest in changing the status quo. For some projects there is also money involved, but that's another issue entirely. I don't know if this is a chicken-egg issue, because downstream doesn't switch to LibreSSL because upstream doesn't use LibreSSL, and so on. The main reason to switch would be better security overall. But a secondary effect of that would be to force upstream hand to either code properly or use a different library altogether. If you are willing I could try to create a separate LibreSSL package, so individual maintainers could build against either. I just don't see it being sustainable on the long run. Cheers, Giancarlo Razzolini
pgpq4WkrPL5gj.pgp
Description: PGP signature
