Christian Pedaschus <[email protected]> wrote: > On Tue, 10 Jun 2014 12:14:46 -0600 > Theo de Raadt <[email protected]> wrote: > > > > I was reading stuff in misc@ about OpenSSL broken things. I see > > > people from OpenBSD started LibreSSL project and they are forking > > > OpenSSL and remove the bad code. This is past, but I see more and > > > more lesions are discovered. It may be a stupid question, but > > > having all these, isn't more efficient to start LibreSSL from zero? > > > > Impossible. > > > > The OpenSSL API was built up through accretion over almost 2 decades. > > It is fat, bloated, repetitive, and tricky. In general, application > > authors have chosen to use the first API's they spot which provide the > > functionality they need. As a result, almost all of the bloated API > > is potentially used in the greater ecosystem. > > > > It is quite simply impossible to reinvent this particular wheel. Any > > effort to reinvent it would be highly incompatible. Features and > > warts are too closely coupled. > > wouldn't it be a feature? > less warts, less bugs, less features, less compatible, but secure? > > how many ciphers do we need, to retrieve websites/mails over a secure > channel? (i'm not a crypto guy, would love to get an answer. my bet: 1). > > are exotic 1995 devices really worth the trouble? > > regards, chris
First you want LibreSSL to be widely used. Then you get to deprecate bad features. Trying to depracate bad features in another project is doomed to fail. It would be like WINE announcing that certain Win32 APIs are gone. In the event that LibreSSL is never used by anyone except OpenBSD, removing bad features is just going to require us to get OpenSSL from packages/ports. -- Martin
