[arch-dev-public] OpenSSL 1.1.0
Giancarlo Razzolini
grazzolini at archlinux.org
Mon Jan 30 13:09:20 UTC 2017
Em janeiro 30, 2017 1:05 Allan McRae escreveu:
>
> Please cite one example. Every CVE I have seen that is of at least
> high severity has affected both. There have been some low severity ones
> only affecting openssl.
>
> Even worse, the fix time for libressl in the couple of issues I
> monitored was worse than openssl.
>
I don't have a ready list, but I can make one, sure. One thing I can say
is that it wasn't *every*[0] high/critical CVE that affected both libraries.
And yes, I presume fix time will be somewhat worse than OpenSSL's, because
it is a portable version of a library mainly focused on OpenBSD.
As I said, it is a suggestion for us to consider instead of going OpenSSL 1.1
way. Both will be hard, but I think in the end we would be better off using
LibreSSL.
Cheers,
Giancarlo Razzolini
[0] https://en.wikipedia.org/wiki/LibreSSL
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 870 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20170130/addd09f1/attachment.asc>
More information about the arch-dev-public
mailing list