X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail-wm0-f44.google.com (mail-wm0-f44.google.com [74.125.82.44]) by lists.alpinelinux.org (Postfix) with ESMTP id 8053D5C4E46 for ; Thu, 8 Feb 2018 22:40:45 +0000 (GMT) Received: by mail-wm0-f44.google.com with SMTP id 143so12200157wma.5 for ; Thu, 08 Feb 2018 14:40:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=l8THhEY2Dija+8hirL2Lk35FCpztGVcXWy0arnYLLQ8=; b=DkBISii6LWgWz7qXET1Wc/e2c4sWmPlDW0AxTC6jfy/mIoTFy22BQiQsiIjrWYMkMy dBDvwYEEpD58BJbRH7+oSKtxcLX3xzB4xzgbNwUexqFF7eTRn2VsiG9pN9M2k419Dzxt u8k8dhKMCbLsOgbuXRnJndI7VgcVceI0Hl3DHGqVSrNGElBa48UvJMEVfoFuks09BoJ+ 8tlcehm67TZ0497muAUhU3Vg05hfQRVaxuB2fX/Jca0rAqWnYVT7qHQqWFJAv/BgY1pk WY/P1Nmgtb7OoWwgaLZyqRpNrOpbe33J3B9+esvnZnLMYdVw2DH2oeVz6KTWFUIcQavR oPlA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=l8THhEY2Dija+8hirL2Lk35FCpztGVcXWy0arnYLLQ8=; b=AJKym3dAhX7h/nBWxZjk7fWeFTszzpAzRnI4GlIJhw/gQf9cqOL4mcyc0YnqtSOK1s JMWyKcL3y4fcxAM2f9lcAkBJixrr1ev8uGSDZ3cNM3PIcqBfguRiP/qCvPZ9Su47eRx5 UjavhJGtPNKGBp36DHoUNPhDznY/y/DywjRdh2BAuj/1A/rox7ToUkurCxtvfGYmId8+ QAXecLRCCqSQ74vxOEHcLS31pBh3VOPuXB/qMfikZUsgaNJlJhkr/SdWcNS3V9+sE6oW P99wEnKKRznBistP4FrpKBKOX9SDQNMkrfXUS7qpj73AnKXPifou63Wl4EcDAiv0VMqG x6Rw== X-Gm-Message-State: APf1xPAbrKht3ra5O6jkDgls/rjyRet4qqJhaFh9MZQoe1b4gXVN9O2a DpTUHiwVKZ95lB6VChS+ynmbraI= X-Google-Smtp-Source: AH8x226KAjKZMGJy+b13G9MPhe+jX+MHoKdaPSDPZ+GRWpupfpSsxrQx8ExEdwwjt1OTuPkiEn3gkw== X-Received: by 10.28.186.132 with SMTP id k126mr364729wmf.159.1518129644488; Thu, 08 Feb 2018 14:40:44 -0800 (PST) Received: from mechanicum.chadwicks.me.uk (mail.oesys.co. [82.71.11.172]) by smtp.gmail.com with ESMTPSA id j126sm950323wmj.44.2018.02.08.14.40.44 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 08 Feb 2018 14:40:44 -0800 (PST) Date: Thu, 8 Feb 2018 22:40:32 +0000 From: Kevin Chadwick To: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] Proposed change: openssl 1.1 as default system openssl implementation Message-ID: <20180208224032.3942ce38@mechanicum.chadwicks.me.uk> In-Reply-To: References: <20180208180544.3ff19e66@mechanicum.chadwicks.me.uk> <20180208192207.7e0da20a@mechanicum.chadwicks.me.uk> X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Thu, 8 Feb 2018 13:33:58 -0600 > > You clearly do not know about the extra protections and priviledge > > separation in LibreSSL!!! > > You must be talking about Pledge, which allows LibreSSL to declare > what system calls it will and will not be using. Of course, Pledge > is only available in OpenBSD. No, Pledge is not priviledge seperation or even close to it, though it does benefit from it! Buffer overflows are far less dangerous with priviledge separation deployed and no the way you compile Alpine will not accomplish anything like proper priviledge seperation. I guess you can see how with libtls then heartbleed would have had much less affect. OpenBSD have been pioneering in depth use of priviledge seperation with layers of security on top for years, _______________________________________________________________________ As the OpenBSD 5.7 development effort comes to a close, so does the LibreSSL 2.1.x branch. The next release will begin the 2.2.x development branch. User-visible features: * Improvements to libtls: - a new API for loading CA chains directly from memory instead of a file, allowing verification with privilege separation in a chroot without direct access to CA certificate files. ________________________________________________________________________ Qmail, Postfix and Dovecot are the original examples of priviledge separation though OpenBSD has taken it to new levels since throughout it's daemons. In fact. I don't think pledge was really around at the time anyway. --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---