[arch-dev-public] OpenSSL 1.1.0
pierre at archlinux.de
Sat Feb 11 08:36:23 UTC 2017
On 30.01.2017 14:09, Giancarlo Razzolini wrote:
> Em janeiro 30, 2017 1:05 Allan McRae escreveu:
>> Please cite one example. Every CVE I have seen that is of at least
>> high severity has affected both. There have been some low severity
>> only affecting openssl.
>> Even worse, the fix time for libressl in the couple of issues I
>> monitored was worse than openssl.
> I don't have a ready list, but I can make one, sure. One thing I can
> is that it wasn't *every* high/critical CVE that affected both
> And yes, I presume fix time will be somewhat worse than OpenSSL's,
> it is a portable version of a library mainly focused on OpenBSD.
> As I said, it is a suggestion for us to consider instead of going
> OpenSSL 1.1
> way. Both will be hard, but I think in the end we would be better off
> Giancarlo Razzolini
>  https://en.wikipedia.org/wiki/LibreSSL
For now I'd like to keep openssl. This might change when upstream
projects might switch to libressl. ATM I do not see an objective reason
to do so. If it is a drop in replacement a separate package could be
Pierre Schmitz, https://pierre-schmitz.com
More information about the arch-dev-public