X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail-wm0-f54.google.com (mail-wm0-f54.google.com [74.125.82.54]) by lists.alpinelinux.org (Postfix) with ESMTP id 7745B5C4E6C for ; Sat, 10 Feb 2018 11:17:36 +0000 (GMT) Received: by mail-wm0-f54.google.com with SMTP id f71so1842758wmf.0 for ; Sat, 10 Feb 2018 03:17:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=vn9CHo5JeOUxUYijNuQceXnnbdz+4wyg8mbwT60AM/4=; b=mdvOk/TrE/iuRY6vmdwkSBxgUiXP127tixGP0jaEuoqB+G72BqMslEtd9FbB9mVlLT Ma40qQTEp5/MZdV55PlYnUtRrJHgSBG4R2vH0CJCo2frFZKY2O57niAeMCyqPo5MxE1t hviL3C+GbWBpgMN5So23NhBgARVRY34i0SUaVMVcXdWENm1FlgYVccCDw/zpr61oKzgG fWgjL3CH2zKiUYA+XYQjM8BpBgZ52i7Y14Ox0k9hhYowq9GIvld3ktvRWIr1cYMj2WOi kNSP7OMUqerBRensb5NZjG30qeXnLt/j6vORQpqJJWAbzjPdnOnWaYmmE4abIwovxqif HERw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:subject:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=vn9CHo5JeOUxUYijNuQceXnnbdz+4wyg8mbwT60AM/4=; b=XEsxl569TG0nty1I2SrRuUVLbx0v8LZ6UB3mSRpRA4XxFBert63yrKuZ6i3fcIeRxc pCTzQSkl6kwtJry7Q8wkMSVTHLzBRByeHoGyw8c3UAFsSnkDn8+qGfpnpW0xHJT88UE/ TtAD2eHe9SlHkgKwNmalilOf7ZmhQnXe27EUqubUuW3YPZ+DLUAzIZUG8vnZ6S90IYco ZOIoCrj21yVZFyIswrzMO7sybHRFrkvp1eWkzDdSWfyESBdVgXWwobJR0chgtgYMoBCv AX1SxWmoDHN00+jBqiKDNrOS28kzX6vXjRhhGJY2PWQTiM6l87G+j3L8HLNMm5SQIqP/ 2QLw== X-Gm-Message-State: APf1xPAIHumEljqh430NBhUSa+IfxCEsmefy/Nmv/pr9ugS2vsNUf/ty z701EhYdKIYMsdWPnuIE9gjYo1U= X-Google-Smtp-Source: AH8x224KiIeY8XEi9iQ5Uz8FpoUbXPVld2x8VXkReYUTsAlOeq5Jq1KfA7pYGTQHubnOiIrHJWfR/w== X-Received: by 10.28.114.3 with SMTP id n3mr4283561wmc.124.1518261455469; Sat, 10 Feb 2018 03:17:35 -0800 (PST) Received: from mechanicum.chadwicks.me.uk (mail.oesys.co. [82.71.11.172]) by smtp.gmail.com with ESMTPSA id s9sm4177941wra.4.2018.02.10.03.17.34 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 10 Feb 2018 03:17:35 -0800 (PST) Date: Sat, 10 Feb 2018 11:17:15 +0000 From: Kevin Chadwick To: alpine-devel@lists.alpinelinux.org Subject: Re: [alpine-devel] Proposed change: openssl 1.1 as default system openssl implementation Message-ID: <20180210111715.144a571e@mechanicum.chadwicks.me.uk> In-Reply-To: References: <20180209211237.19ab8fda@ncopa-macbook.copa.dup.pw> X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit This is my last cross post as I am in danger or have already abused your list likely atleast in some peoples eyes. It seems like a strong argument to make upstreams reconsider to me. I know security is an intangible asset and they likely won't care. Though I think that lesson is becoming more widely understood, so maybe. Theo posted this ________________________________________________________________________ > It isn't just this. Qt 5.10 introduces new dependency on OpenSSL 1.1 > APIs for improved security, and LibreSSL does not implement those APIs > at all. The 1.1 API does not improve security. If anything, the new API requires to you repeat the same or similar arguments to many functions, and in many ways the API is much more fragile. Also, more memory allocation and free is required, and as a result quite a few software upgrades to 1.1 API have had memory leaks, as well as use-after-free and double-free bugs. A very large patch for converting openssh to 1.1 was provided by folk who very much know the API, and it had several stupid and quite dangerous mistakes of that sort. Don't believe all the promises you hear. --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---