X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail-wr0-f182.google.com (mail-wr0-f182.google.com [209.85.128.182]) by lists.alpinelinux.org (Postfix) with ESMTP id 41FD25C5CD7 for ; Thu, 8 Feb 2018 18:06:00 +0000 (GMT) Received: by mail-wr0-f182.google.com with SMTP id 111so2799557wrb.13 for ; Thu, 08 Feb 2018 10:06:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=Rx/mePv/dkqXzpJ6JL5UaxA9h8Wxp6Xa05eSDexmGWs=; b=erO1WghtGIKGWdvqvZPYKIhWImedbQ6D7JyQyEoF4hOkNwDCUXORUXhTW8ibNB2tx1 RUi898httb5UjXaYyDBB/VJBp4ezpVf4fyfrY4CZ2ZaiLif9lWp/wddA6M7TAWsGCp87 fOZvQQP+naYSortliAgzVYk2lauNVOhkUnBttOPjGyCLyHnkib7yZ4wR4mtrBe7neHdc dG8iBcqbRah4MWdW2xi5TKT/m2PH6k+az0PVvuQQQrw/edMl4x0Nr6rMgdjNSY5goAxU UFaEXCZP7gaoM862Wfh5K73mMDT4jVy0xUPEkExb0jlDJ4B5BGjr4JwUa1Npxhv43KD8 DU3g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=Rx/mePv/dkqXzpJ6JL5UaxA9h8Wxp6Xa05eSDexmGWs=; b=LdnXXZjUmq+j7HtzFKl9byWS50orz0YTDzdK7VLc4Do6HV9mZ27Q9FAZX19zsIzqAv PLjOchuY19hhvHeTR91o9WGDkAzChnXtxkWdEtBnL6W2w3e7P7PPLzx/nP/MuCFSbHLF pi5YQQ1+l+xWWy6/+TFPfcFn4LLQQNWLGkOW7C8fqkePZ0I8AxKhvdHlX0tjncoNyN9f uWmowfmHf6hH6p7ONhgnGcAuqxXEm1b6nPU/EWLztk2ZYM7ssj+uHoVpYED1FX39Esmo BhkOxDjbZCqzc/fJ6HFPtyj/VYm9rbDWEJ2FR0VmYGMjLKVGCWo3jNd1H9VPADHQkKnm yq6Q== X-Gm-Message-State: APf1xPCV7B+g8As/nTCFSMkKqW5TUWIHUHvxLcK8mjt935EDYgydzGec PMh94myQc/+i3wYfms29xRLQntg= X-Google-Smtp-Source: AH8x2257SiASoeWHWjUhW4e07rigOuyL1gbXZ0Gu1W8kUtOHah4yyjHFg2RsaCaqn9pnPc388Yf12Q== X-Received: by 10.223.157.200 with SMTP id q8mr21781wre.205.1518113159174; Thu, 08 Feb 2018 10:05:59 -0800 (PST) Received: from mechanicum.chadwicks.me.uk (mail.oesys.co. [82.71.11.172]) by smtp.gmail.com with ESMTPSA id t14sm483606wmc.23.2018.02.08.10.05.58 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 08 Feb 2018 10:05:58 -0800 (PST) Date: Thu, 8 Feb 2018 18:05:44 +0000 From: Kevin Chadwick To: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] Proposed change: openssl 1.1 as default system openssl implementation Message-ID: <20180208180544.3ff19e66@mechanicum.chadwicks.me.uk> In-Reply-To: References: X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Thu, 8 Feb 2018 11:23:26 -0600 > Meanwhile, the libressl guys have been removing > functionality we depend on, such as support for hardware accelerators > (ENGINE apis), switching from 64-bit TAIN date calculations to time_t > (because time_t is good enough on OpenBSD) and dropping openssl 1.0.1 > APIs they see as unsuitable. This is a strange take on the situation to say the least. Apis were dropped for good reasons and they have committed to implementing new API components that seem sensible and are most desired. However the primary goal is security not functionality and if anything you could argue that OpenSSL is still way too complex to be fit for purpose. Multiple CVEs have been avoided by LibreSSL already. > > libressl promised to retain compatibility with 1.0.1g APIs, but has > failed to do so. I am not clear on the versions but I do know that they promised to be a replacement at the time and whilst I am not really involved I have seen comments that OpenSSL seem to be purposefully causing issues. > As such, there is an increasing workload to keep > packages compatible with libressl as it evolves. Therefore, it is > obviously not truly a suitable provider for the openssl package, and > we should switch back to proper openssl as the default. We will Do you have a list of packages at all? proper!?!? I guess LibreSSL has less resources and hope that is what you meant. I believe the key protection improvements were/are better in LibreSSL and so the fix for heartbleed was properly done! I understand your workload point and that Alpine is far from in control over this but I don't like how this mail has been written and wonder what environment caused that? Also, there are other libraries like mbedtls and boring ssl, aren't these packages breaking compatibility with them and reducing their scope? (Not an alpine issue of course) So maybe the packages like Python have an agenda or should slow down? Python could also remove RWX memory requirements by default as a higher priority? (Python, saying they want to remove existing code for more security (would it be compiled) but that the existing code is secure). Have they audited the OpenSSL code themselves? I understand the joy of code deletion however ;) > however retain libressl for packages which require it (for example, > ones using the new libtls APIs). A properly simple and secure API? > If there is no objection to this proposed change, I intend to do the > swap next week. No objection, just not impressed. Alpine could make a stand but what difference would it make. --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---