Mail archive
alpine-devel

Re: [alpine-devel] Proposed change: openssl 1.1 as default system openssl implementation

From: Kevin Chadwick <m8il1ists_at_gmail.com>
Date: Thu, 8 Feb 2018 22:40:32 +0000

On Thu, 8 Feb 2018 13:33:58 -0600


> > You clearly do not know about the extra protections and priviledge
> > separation in LibreSSL!!!
>
> You must be talking about Pledge, which allows LibreSSL to declare
> what system calls it will and will not be using. Of course, Pledge
> is only available in OpenBSD.

No, Pledge is not priviledge seperation or even close to it, though it
does benefit from it!

Buffer overflows are far less dangerous with priviledge separation
deployed and no the way you compile Alpine will not accomplish anything
like proper priviledge seperation.

I guess you can see how with libtls then heartbleed would have had
much less affect. OpenBSD have been pioneering in depth use of
priviledge seperation with layers of security on top for years,
_______________________________________________________________________

As the OpenBSD 5.7 development effort comes to a close, so does the
LibreSSL 2.1.x branch. The next release will begin the 2.2.x development
branch.

User-visible features:

  * Improvements to libtls:
    - a new API for loading CA chains directly from memory instead of a
      file, allowing verification with privilege separation in a chroot
      without direct access to CA certificate files.
________________________________________________________________________

Qmail, Postfix and Dovecot are the original examples of priviledge
separation though OpenBSD has taken it to new levels since throughout
it's daemons.

In fact. I don't think pledge was really around at the time anyway.


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Thu Feb 08 2018 - 22:40:32 GMT