Mail archive
alpine-devel

Re: [alpine-devel] Proposed change: openssl 1.1 as default system openssl implementation

From: Alba Pompeo <albapompeo_at_gmail.com>
Date: Sat, 10 Feb 2018 09:32:29 -0200

>switching from 64-bit TAIN date calculations to time_t
Is there a specific upstream commit that did that?
Couldn't in theory Alpine just revert the commit and keep it as local patch?
Just throwing the idea out there...

On Sat, Feb 10, 2018 at 9:17 AM, Kevin Chadwick <m8il1ists_at_gmail.com> wrote:
> This is my last cross post as I am in danger or have already abused
> your list likely atleast in some peoples eyes.
>
> It seems like a strong argument to make upstreams reconsider to me. I
> know security is an intangible asset and they likely won't care.
> Though I think that lesson is becoming more widely understood, so maybe.
>
>
> Theo posted this
> ________________________________________________________________________
>
>> It isn't just this. Qt 5.10 introduces new dependency on OpenSSL 1.1
>> APIs for improved security, and LibreSSL does not implement those APIs
>> at all.
>
> The 1.1 API does not improve security.
>
> If anything, the new API requires to you repeat the same or similar
> arguments to many functions, and in many ways the API is much more
> fragile. Also, more memory allocation and free is required, and as a
> result quite a few software upgrades to 1.1 API have had memory leaks,
> as well as use-after-free and double-free bugs.
>
> A very large patch for converting openssh to 1.1 was provided by folk
> who very much know the API, and it had several stupid and quite
> dangerous mistakes of that sort.
>
> Don't believe all the promises you hear.
>
>
> ---
> Unsubscribe: alpine-devel+unsubscribe_at_lists.alpinelinux.org
> Help: alpine-devel+help_at_lists.alpinelinux.org
> ---
>


---
Unsubscribe:  alpine-devel+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-devel+help_at_lists.alpinelinux.org
---
Received on Sat Feb 10 2018 - 09:32:29 GMT