ChristopherSchultz commented on PR #13: URL: https://github.com/apache/tomcat-native/pull/13#issuecomment-1194779432
> > there would need to be an appropriate Panama module > > What exactly is this? The plan is to migrate to Panama to avoid having to ship libtcnative at all, at which point everything is in Java. Right now, all the glue for the crypto library is in native C code in libtcnative which is potentially dangerous. Moving to Panama allows us to remove all native code that doesn't belong to the crypto library. > There used to be a comparison graph for libressl and openssl security issues showing how many security issues openssl introduced have never affected libressl, but its been years since I seen it and I am not sure where that was. However comparing the number of CVEs for libressl and openssl is a huge difference. I'm going to really need a citation here. Forking a library, removing all the irrelevant code and claiming you have a new product with no security issues isn't really fair from a comparison perspective. If I fork OpenSSL to create ChriSSL tomorrow and just delete all the sources, I guarantee it'll never have any CVEs filed against it. > Arguably more people are submitting them for the latter. Yes, CVEs are typically assigned to a single product. I'd be interested to see how many CVEs from the past few years filed against OpenSSL were also (silently) fixed in LibreSSL who gets a pass for those same issues. > I don't have the qualifications to conclusively argue which one is a better or worse ssl implementation[...] I haven't studied the code, but I know a great deal of effort was put into simply removing code deemed unnecessary by the LibreSSL team. I have no idea how much re-writing of any code they have done since then. My guess is that they are still largely the same (minus the removals, of course). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
