[arch-dev-public] OpenSSL 1.1.0

[Giancarlo Razzolini]

Em janeiro 29, 2017 20:04 Doug Newgard escreveu:
> 
> I haven't heard all that much from/about LibreSSL since shortly after the fork.
> Care to share what advantages it would bring, and at what cost?
> 

The cost for rebuilding everything against OpenSSL 1.1 will probably be a big one.
For LibreSSL, it would be even bigger. I think the main advantage, right away, is
that LibreSSL has a considerably better security track, specially after their huge
flensing.

I can only dream about the bugs that might lurk on both OpenSSL 1.1 and LibreSSL.
But the defensive approach OpenBSD takes on LibreSSL already has paid off in terms
of CVE's that didn't affected it, but were high/critical issues on OpenSSL.

It would be a considerable effort, but since there will be some for 1.1, I thought
this to be the perfect opportunity for pushing an effort for LibreSSL instead.

I'm as of know searching Void and Alpine bug trackers for learning the issues they
faced (we should/could learn from theirs). We would probably need to bootstrap the
core tools like makepkg, pacman, curl, etc with static OpenSSL support for a while,
to make sure users can smoothly upgrade. Otherwise, I expect LibreSSL to be as much
compatible with the userland software as OpenSSL is.

Cheers,
Giancarlo Razzolini
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 870 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20170129/5c9e48cc/attachment.asc>