Mail archive

Re: [alpine-devel] Proposed change: openssl 1.1 as default system openssl implementation

From: A. Wilcox <>
Date: Sat, 10 Feb 2018 12:16:18 -0600

On 02/10/18 09:45, Kevin Chadwick wrote:
> Where would they get a 1970 cert from that was trusted?

I like how it was already pointed out, by you and possibly others, on
openbsd-misc *and* this list, that most people do not use the CA / SAN
verification routines correctly.

Then you mention that "well, invalid certs like that shouldn't be trusted".

You can't have it both ways. In an ideal world none of this would
matter anyway because we'd have better libraries with better security
and an actually competently-designed API. Or, even, in a truly ideal
world, security wouldn't be necessary because there wouldn't be bad
actors and nation states that try to commit atrocities to others.

This isn't either of those ideal worlds. We have bad code written with
bad libraries in mind that have bad security and badly designed APIs.
(I'm including OpenSSL *and* LibreSSL in that. I'd probably add GnuTLS
for its terrible DANE fallback code and mbedTLS for terrible CRL API.)

On top of that, we have standards that are ignorant, we have deficient
ABIs that still exist so some companies and governments can continue to
run binaries from the Clinton administration, we have Google running the
Web, we have world hunger....

Alpine's goals do not include "fix the world". Adélie's goals are only
very tangentially related to "fix the world". Neither of our projects
goals are "port everything to LibreSSL", and if anything, I'd expect
that to be a LibreSSL or possibly OpenBSD project goal.

"But it isn't about the number of users! It's about quality!"

I can go three ways with this:

1) Quality in a vacuum is useless. If nobody uses it, you still haven't
improved the world at all.

2) If it isn't about the number of users, why does the LibreSSL
Evangelism Strikeforce come out every time a project says they want to
use OpenSSL instead?

3) If it's about quality and not number of users, why not just make a
brand new libtls that doesn't depend on *any* OpenSSL code and try to
convince people to use that, instead of making an API promise ("we are
1.0.1g compliant! honest!") you never actually intended to keep?

> I cross posted because reluctance to communicate
> between Linux and OpenBSD devs is well known. OpenBSD devs are blunt
> but they don't have time to be anything else.

Bluntness is not a problem for me. (Consider this message.) In fact,
bluntness is good, because it means there is no fluffy text to sift
through, just technical discussion.

The problem with the OpenBSD community is not bluntness. Arrogance and
trolling are problems for me. And you know what? Honestly, I don't
find too many OpenBSD devs have that problem. Their users, however...
their users...


A. Wilcox (awilfox)
Project Lead, Adélie Linux

Received on Sat Feb 10 2018 - 12:16:18 UTC