[arch-dev-public] OpenSSL 1.1.0

Giancarlo Razzolini grazzolini at archlinux.org
Mon Jan 30 13:09:20 UTC 2017


Em janeiro 30, 2017 1:05 Allan McRae escreveu:
> 
> Please cite one example.   Every CVE I have seen that is of at least
> high severity has affected both.  There have been some low severity ones
> only affecting openssl.
> 
> Even worse, the fix time for libressl in the couple of issues I
> monitored was worse than openssl.
> 

I don't have a ready list, but I can make one, sure. One thing I can say
is that it wasn't *every*[0] high/critical CVE that affected both libraries.

And yes, I presume fix time will be somewhat worse than OpenSSL's, because
it is a portable version of a library mainly focused on OpenBSD.

As I said, it is a suggestion for us to consider instead of going OpenSSL 1.1
way. Both will be hard, but I think in the end we would be better off using
LibreSSL.

Cheers,
Giancarlo Razzolini

[0] https://en.wikipedia.org/wiki/LibreSSL
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 870 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20170130/addd09f1/attachment.asc>


More information about the arch-dev-public mailing list