Web lists-archives.com

Re: libressl in Buster?


On Sat, Nov 03, 2018 at 03:37:06PM +0100, Harald Dunkel wrote:
> On 11/1/18 4:16 PM, Reco wrote:
> > 
> > It's rather a short release cycle and a lack of feature parity with
> > openssl.
> I don't see a short release cycle as a bad feature. Its a sign of
> active and agile development.

And in Debian stable that also means that it's close to impossible to
backport security fixes to chosen version (because it's "too old").
Updating such fundamental library can (and probably *will*) lead to
API/ABI breakage. While tolerable at sid/testing, such things are
frowned upon at stable.

> Openssl has a bad reputation for introducing security problems,
> partly due to its complex and "dangerous code", which was the
> major reason for the fork.
> https://en.wikipedia.org/wiki/LibreSSL#History

As long as it's used - they will search for vulnerabilities in there.
And they will find them. PHP has even worse reputation in this regard,
for example, yet you still see people who are using PHP.

IMO one should be worried of cryptographic library that does not
mentioned at Full-Disclosure/oss-security now and then.