Mail archive
alpine-devel

Re: [alpine-devel] Proposed change: openssl 1.1 as default system openssl implementation

From: William Pitcock <nenolod_at_dereferenced.org>
Date: Thu, 8 Feb 2018 13:15:33 -0600

Hello,

On Thu, Feb 8, 2018 at 12:16 PM, Kevin Chadwick <m8il1ists_at_gmail.com> wrote:
> On Thu, 8 Feb 2018 12:09:38 -0600
>
>
>> > openssl 1.1 has a different situation: Akamai and the Core
>> > Infrastructure Initiative have come together to sponsor development
>> > and maintenance of openssl since we switched, which means that
>> > there's higher quality maintenance occuring now.
>>
>> This is good to hear, I didn't know about Akamai's involvement.
>
> I am fairly sure that funding was never a real issue and certainly not
> one that could explain heartbleed.

Heartbleed is explained by the support for custom allocators in
combination with their own custom allocator. This functionality was
disabled in Alpine's openssl packaging prior to Heartbleed disclosure
and was ultimately removed upstream. Much like other distributions,
we actually do look at our security-critical code and make
security-conscious decisions.

As far as funding goes, when your funding comes from consulting
contracts (adding new things to a product), then a majority of your
resources go towards adding new features. The Akamai and CII funding
is explicitly for dedicated maintenance so that there is not a
capitalistic inversion of priorities.

> Akamai is probably also one of the lead reasons why people think
> websites are secure when they are not necessarily too (akamai cert for
> akamai server for download of acme.exe). Simplicity, cost issue?

I would argue Cloudflare is a larger offender there.

William


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Thu Feb 08 2018 - 13:15:33 GMT