[arch-dev-public] OpenSSL 1.1.0
Pierre Schmitz
pierre at archlinux.de
Sat Feb 11 08:36:23 UTC 2017
On 30.01.2017 14:09, Giancarlo Razzolini wrote:
> Em janeiro 30, 2017 1:05 Allan McRae escreveu:
>>
>> Please cite one example. Every CVE I have seen that is of at least
>> high severity has affected both. There have been some low severity
>> ones
>> only affecting openssl.
>>
>> Even worse, the fix time for libressl in the couple of issues I
>> monitored was worse than openssl.
>>
>
> I don't have a ready list, but I can make one, sure. One thing I can
> say
> is that it wasn't *every*[0] high/critical CVE that affected both
> libraries.
>
> And yes, I presume fix time will be somewhat worse than OpenSSL's,
> because
> it is a portable version of a library mainly focused on OpenBSD.
>
> As I said, it is a suggestion for us to consider instead of going
> OpenSSL 1.1
> way. Both will be hard, but I think in the end we would be better off
> using
> LibreSSL.
>
> Cheers,
> Giancarlo Razzolini
>
> [0] https://en.wikipedia.org/wiki/LibreSSL
For now I'd like to keep openssl. This might change when upstream
projects might switch to libressl. ATM I do not see an objective reason
to do so. If it is a drop in replacement a separate package could be
provided.
Greetings,
Pierre
--
Pierre Schmitz, https://pierre-schmitz.com
More information about the arch-dev-public
mailing list