[arch-dev-public] OpenSSL 1.1.0

Giancarlo Razzolini grazzolini at archlinux.org
Sun Feb 12 14:25:15 UTC 2017

Em fevereiro 11, 2017 6:36 Pierre Schmitz escreveu:
> For now I'd like to keep openssl. This might change when upstream 
> projects might switch to libressl. ATM I do not see an objective reason 
> to do so. If it is a drop in replacement a separate package could be 
> provided.

Sure, as I said, it was just an idea. LibreSSL is mostly a drop-in replacement,
I was taking some time to analyze void and alpine switch and they had some issues
that they sorted out. OpenBSD had the same issue with their ports (several patches
were sent upstream) and they detected several poorly usage of the OpenSSL library.

Some of the poor usage was bad coding practices, and some was because the library
itself allowed. I think most upstream projects won't change to LibreSSL, either
OpenSSL compatible, or their libtls, for lack of interest in changing the status
quo. For some projects there is also money involved, but that's another issue

I don't know if this is a chicken-egg issue, because downstream doesn't switch to
LibreSSL because upstream doesn't use LibreSSL, and so on. The main reason to switch
would be better security overall. But a secondary effect of that would be to force
upstream hand to either code properly or use a different library altogether.

If you are willing I could try to create a separate LibreSSL package, so individual
maintainers could build against either. I just don't see it being sustainable on the
long run.

Giancarlo Razzolini
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 870 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20170212/511c18ec/attachment.asc>

More information about the arch-dev-public mailing list