[arch-dev-public] OpenSSL 1.1.0
grazzolini at archlinux.org
Mon Jan 30 13:09:20 UTC 2017
Em janeiro 30, 2017 1:05 Allan McRae escreveu:
> Please cite one example. Every CVE I have seen that is of at least
> high severity has affected both. There have been some low severity ones
> only affecting openssl.
> Even worse, the fix time for libressl in the couple of issues I
> monitored was worse than openssl.
I don't have a ready list, but I can make one, sure. One thing I can say
is that it wasn't *every* high/critical CVE that affected both libraries.
And yes, I presume fix time will be somewhat worse than OpenSSL's, because
it is a portable version of a library mainly focused on OpenBSD.
As I said, it is a suggestion for us to consider instead of going OpenSSL 1.1
way. Both will be hard, but I think in the end we would be better off using
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 870 bytes
Desc: not available
More information about the arch-dev-public