X-Original-To: alpine-devel@lists.alpinelinux.org
Received: from mail.wilcox-tech.com (mail.wilcox-tech.com [45.32.83.9])
	by lists.alpinelinux.org (Postfix) with ESMTP id 0B9DB5C4E83
	for <alpine-devel@lists.alpinelinux.org>; Sat, 10 Feb 2018 18:16:10 +0000 (GMT)
Received: (qmail 18946 invoked from network); 10 Feb 2018 18:16:07 -0000
Received: from 107-131-85-28.lightspeed.tulsok.sbcglobal.net (HELO ?192.168.1.237?) (awilcox@wilcox-tech.com@107.131.85.28)
  by mail.wilcox-tech.com with ESMTPA; 10 Feb 2018 18:16:07 -0000
Subject: Re: [alpine-devel] Proposed change: openssl 1.1 as default system
 openssl implementation
To: alpine-devel@lists.alpinelinux.org
References: <CA+T2pCGFeh30aEi43hAvJ3yoHBijABy_U62wfjhVmf3FmbNUUg@mail.gmail.com>
 <20180209211237.19ab8fda@ncopa-macbook.copa.dup.pw>
 <CA+T2pCGVM0jRKnh_2e=bi525uWdVpvUAK1U3Am0MipTYCCJmvQ@mail.gmail.com>
 <eaccb1de-0bfa-769f-34c6-f26a90bbb804@adelielinux.org>
 <20180210111715.144a571e@mechanicum.chadwicks.me.uk>
 <CA+T2pCEgTXECOav-gBdprCa3psJFSKt6vrgdD7fMHAzQGU+DcA@mail.gmail.com>
 <20180210141109.55695e19@mechanicum.chadwicks.me.uk>
 <CA+T2pCEC2fsiHh_iJ9FFcmSmhc+NsZoXX1WYkhEWB4KSj+VvJA@mail.gmail.com>
 <20180210154513.66fa5b3a@mechanicum.chadwicks.me.uk>
From: "A. Wilcox" <awilfox@adelielinux.org>
Organization: =?UTF-8?Q?Ad=c3=a9lie_Linux?=
Message-ID: <7f5961a9-e09e-8e1c-12b4-23ae56fce034@adelielinux.org>
Date: Sat, 10 Feb 2018 12:16:18 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.2.0
X-Mailinglist: alpine-devel
Precedence: list
List-Id: Alpine Development <alpine-devel.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-devel+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-devel@lists.alpinelinux.org>
List-Help: <mailto:alpine-devel+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-devel+subscribe@lists.alpinelinux.org?subject=subscribe>
MIME-Version: 1.0
In-Reply-To: <20180210154513.66fa5b3a@mechanicum.chadwicks.me.uk>
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature";
 boundary="djucwRC081msaTddrvp4oKsXS2QhihUGp"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--djucwRC081msaTddrvp4oKsXS2QhihUGp
Content-Type: multipart/mixed; boundary="JapNBrSWIf3BXwJd1K7KIIVHIGtNGmE0c";
 protected-headers="v1"
From: "A. Wilcox" <awilfox@adelielinux.org>
To: alpine-devel@lists.alpinelinux.org
Message-ID: <7f5961a9-e09e-8e1c-12b4-23ae56fce034@adelielinux.org>
Subject: Re: [alpine-devel] Proposed change: openssl 1.1 as default system
 openssl implementation
References: <CA+T2pCGFeh30aEi43hAvJ3yoHBijABy_U62wfjhVmf3FmbNUUg@mail.gmail.com>
 <20180209211237.19ab8fda@ncopa-macbook.copa.dup.pw>
 <CA+T2pCGVM0jRKnh_2e=bi525uWdVpvUAK1U3Am0MipTYCCJmvQ@mail.gmail.com>
 <eaccb1de-0bfa-769f-34c6-f26a90bbb804@adelielinux.org>
 <20180210111715.144a571e@mechanicum.chadwicks.me.uk>
 <CA+T2pCEgTXECOav-gBdprCa3psJFSKt6vrgdD7fMHAzQGU+DcA@mail.gmail.com>
 <20180210141109.55695e19@mechanicum.chadwicks.me.uk>
 <CA+T2pCEC2fsiHh_iJ9FFcmSmhc+NsZoXX1WYkhEWB4KSj+VvJA@mail.gmail.com>
 <20180210154513.66fa5b3a@mechanicum.chadwicks.me.uk>
In-Reply-To: <20180210154513.66fa5b3a@mechanicum.chadwicks.me.uk>

--JapNBrSWIf3BXwJd1K7KIIVHIGtNGmE0c
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 02/10/18 09:45, Kevin Chadwick wrote:
> Where would they get a 1970 cert from that was trusted?

I like how it was already pointed out, by you and possibly others, on
openbsd-misc *and* this list, that most people do not use the CA / SAN
verification routines correctly.

Then you mention that "well, invalid certs like that shouldn't be trusted=
".

You can't have it both ways.  In an ideal world none of this would
matter anyway because we'd have better libraries with better security
and an actually competently-designed API.  Or, even, in a truly ideal
world, security wouldn't be necessary because there wouldn't be bad
actors and nation states that try to commit atrocities to others.

This isn't either of those ideal worlds.  We have bad code written with
bad libraries in mind that have bad security and badly designed APIs.
(I'm including OpenSSL *and* LibreSSL in that.  I'd probably add GnuTLS
for its terrible DANE fallback code and mbedTLS for terrible CRL API.)

On top of that, we have standards that are ignorant, we have deficient
ABIs that still exist so some companies and governments can continue to
run binaries from the Clinton administration, we have Google running the
Web, we have world hunger....

Alpine's goals do not include "fix the world".  Ad=C3=A9lie's goals are o=
nly
very tangentially related to "fix the world".  Neither of our projects
goals are "port everything to LibreSSL", and if anything, I'd expect
that to be a LibreSSL or possibly OpenBSD project goal.

"But it isn't about the number of users!  It's about quality!"

I can go three ways with this:

1) Quality in a vacuum is useless.  If nobody uses it, you still haven't
improved the world at all.

2) If it isn't about the number of users, why does the LibreSSL
Evangelism Strikeforce come out every time a project says they want to
use OpenSSL instead?

3) If it's about quality and not number of users, why not just make a
brand new libtls that doesn't depend on *any* OpenSSL code and try to
convince people to use that, instead of making an API promise ("we are
1.0.1g compliant!  honest!") you never actually intended to keep?


> I cross posted because reluctance to communicate
> between Linux and OpenBSD devs is well known. OpenBSD devs are blunt
> but they don't have time to be anything else.

Bluntness is not a problem for me.  (Consider this message.)  In fact,
bluntness is good, because it means there is no fluffy text to sift
through, just technical discussion.

The problem with the OpenBSD community is not bluntness.  Arrogance and
trolling are problems for me.  And you know what?  Honestly, I don't
find too many OpenBSD devs have that problem.  Their users, however...
their users...


Farewell,
--arw

--=20
A. Wilcox (awilfox)
Project Lead, Ad=C3=A9lie Linux
http://adelielinux.org


--JapNBrSWIf3BXwJd1K7KIIVHIGtNGmE0c--

--djucwRC081msaTddrvp4oKsXS2QhihUGp
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQJMBAEBCAA2FiEEjNyWOYPU1SaTSMHHyynLUZIrnRQFAlp/NvIYHGF3aWxmb3hA
YWRlbGllbGludXgub3JnAAoJEMspy1GSK50U0LUP/jTorxc+yPaYDRPmymC7+ovK
GG7rvJUnOcc/GCdVZ4XH6WBlsdt9T3uQPbtRWUbRCZvfGXAXPtBzL+9V46ReJlFY
gEIuP78D3LvAnVyR/9pehm8bchN0grLSTmLLzBEVF6hfsLeVDDXeMDLd325MnAun
UFy7IU2fZxJLv1ufwLNLldJH6OPKg7FVL2z+1niNqZNSsclTjOQgfdVyC8KY+Akb
LGLCy18id8OhLqWlFB/KZu6mKqNZOfhXEZewREyD+K/Z9PMDngbhKNCn/nhJGERj
FPtHFaYnK4KaUpVldd3rSrFgzYOIbd6qxxDdCkiiPZqehtxF063hhO0VjWXncejo
5KihtIB9+98HULyhPCc6VaEASL6XazBHHlXiEb20ljZOslW+bWD1YsaQyVk6gCZh
oE6KvxpI/JiqdsjwFVr/hVg+mPV7fmIuh8a5mGD8upPAOdtzoJLEtdwtz8DdrC5e
5TKxYW9swJBp74adm+nrETSnOBegHSZ+DEcx34xZQXe3F3pSsXgOSgUj1qon/8X6
9AuxDuwiJki7a2ijeHGmAq/NZFyqN/wR12uz04uamz0dbfc4kGPJwcW1TrNZjMuC
kZIkgnB1+dDgLrwvY+p2IV3QraQewD0VvQBJuMjsHOXMLj9QfYILeXaAhK+MgfhM
xnxgV6IRABqf/lqur7u7
=/upK
-----END PGP SIGNATURE-----

--djucwRC081msaTddrvp4oKsXS2QhihUGp--


---
Unsubscribe:  alpine-devel+unsubscribe@lists.alpinelinux.org
Help:         alpine-devel+help@lists.alpinelinux.org
---