[arch-dev-public] OpenSSL 1.1.0

Pierre Schmitz pierre at archlinux.de
Sat Feb 11 08:36:23 UTC 2017

On 30.01.2017 14:09, Giancarlo Razzolini wrote:
> Em janeiro 30, 2017 1:05 Allan McRae escreveu:
>> Please cite one example.   Every CVE I have seen that is of at least
>> high severity has affected both.  There have been some low severity 
>> ones
>> only affecting openssl.
>> Even worse, the fix time for libressl in the couple of issues I
>> monitored was worse than openssl.
> I don't have a ready list, but I can make one, sure. One thing I can 
> say
> is that it wasn't *every*[0] high/critical CVE that affected both 
> libraries.
> And yes, I presume fix time will be somewhat worse than OpenSSL's, 
> because
> it is a portable version of a library mainly focused on OpenBSD.
> As I said, it is a suggestion for us to consider instead of going 
> OpenSSL 1.1
> way. Both will be hard, but I think in the end we would be better off 
> using
> LibreSSL.
> Cheers,
> Giancarlo Razzolini
> [0] https://en.wikipedia.org/wiki/LibreSSL

For now I'd like to keep openssl. This might change when upstream 
projects might switch to libressl. ATM I do not see an objective reason 
to do so. If it is a drop in replacement a separate package could be 



Pierre Schmitz, https://pierre-schmitz.com

More information about the arch-dev-public mailing list