X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail-qk0-f175.google.com (mail-qk0-f175.google.com [209.85.220.175]) by lists.alpinelinux.org (Postfix) with ESMTP id 7B47C5C5DCD for ; Sat, 10 Feb 2018 14:31:27 +0000 (GMT) Received: by mail-qk0-f175.google.com with SMTP id c128so13531659qkb.4 for ; Sat, 10 Feb 2018 06:31:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dereferenced-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=g+q6YvtT/MHf1/+0JEQufHbnAaL7pKv/LYLGJ+P3zgA=; b=gNCNj7J3rmgf08NV5/qRksxz7QVrZOCq0+WJxAV2denBxDwaItzkmRWF/4vcpfi6mx muBJLJ95qn/9NA5GDKFKUgo3io5H0BKdhfUNtMcc4Y/pIgxRDYhYlqTNbbhn45a5Mkdh j/wR35DohUY+m2s4yWfaGDI+yJzVpcHyMns10o+Wu3n3XDGyjGP7lJ7SvzQAcc3Cwxfd f07qhhFNeBWWgLhT5p6x1GrXm3/FtAzduzU9FtrDcJ40EQLAfSAVoTwPByoSHCNhF21z ylxgWXE/nWjf8ECUU2YyavkjmfxSsUYdnA6/1gZhIfqSt4/8c4822MCO3mtmQx1Ge5sA jk7g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=g+q6YvtT/MHf1/+0JEQufHbnAaL7pKv/LYLGJ+P3zgA=; b=LlakbOWftdlyComJsifG7TTqti8ktGUv36WwFIcsm2xSmDgDw23SQty+/BeovV8Pll JNMlU/ttVlZyljvZXVIRdP6AS7bb3lPDODKBeTtW7Mh1El99S4DkZim24qMEf7QOjD+8 i2RNf1Coc9STAz7qiYPGzUwmXFg2I078WvBzGyVQLzT71eVjJwA1WDQJQQ2END17olX9 prSL+jRpX49zbbx3jPFH1pgQUDUZ3frskIRBbCX6+wUxptDeQ5LnIitDN7tjAgkFfTS6 8PLtomqA4BR0WxnnLQnEvDyTFYpWhSITTRNZiYYue8lk855lJa5GADtZvNOSym3Bl7ZB NMGw== X-Gm-Message-State: APf1xPCYcmUEI472AvJGml3l/4og90EOpcIjBsQAYwdIFTVy25a0vjoh 381Yocrfv1fCQjhqU8ofi6j5Yyd2Y0j1k+YZzlRWAQ== X-Google-Smtp-Source: AH8x225oEhYXp8VV/7+86NFGkMhi1lwSsYMvbJZYszdhkntGm84wm6R3AbAgfVhVAiCWWYgXeFGjUoeLJv+X/svTrUI= X-Received: by 10.55.71.87 with SMTP id u84mr8575587qka.255.1518273087136; Sat, 10 Feb 2018 06:31:27 -0800 (PST) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Received: by 10.200.39.100 with HTTP; Sat, 10 Feb 2018 06:31:26 -0800 (PST) In-Reply-To: <20180210141109.55695e19@mechanicum.chadwicks.me.uk> References: <20180209211237.19ab8fda@ncopa-macbook.copa.dup.pw> <20180210111715.144a571e@mechanicum.chadwicks.me.uk> <20180210141109.55695e19@mechanicum.chadwicks.me.uk> From: William Pitcock Date: Sat, 10 Feb 2018 08:31:26 -0600 Message-ID: Subject: Re: [alpine-devel] Proposed change: openssl 1.1 as default system openssl implementation To: Kevin Chadwick Cc: alpine-dev Content-Type: text/plain; charset="UTF-8" Hello, On Sat, Feb 10, 2018 at 8:11 AM, Kevin Chadwick wrote: > On Sat, 10 Feb 2018 07:50:22 -0600 > > >> I did not discuss the OpenSSL 1.1 API in my proposal. I do not care >> about it. >> >> I care about date comparisons that don't involve trusting anything >> that overflows a time_t as being in the future and then naively trying >> to prove it somehow. >> > > Wow > > What are you telling Alpine for, you should be telling them > conclusions and using evidence to back it up, not opinion. LibreSSL devs > appear to disagree about much of your justification! Have you even > asked them in the first place or yet? Perhaps you are doing it wrong?, > perhaps they have missed a Linux development? For the n-th time, there is nothing to discuss, LibreSSL removed SAFE date calculation code and replaced it with code that is only SAFE under a specific precondition: 64-bit time_t. Then they made it blindly accept ANY certificate that overflows the time_t if it's smaller than 64-bit, which is COMPLETELY UNSAFE AND ARGUABLY A SECURITY PROBLEM BECAUSE IT MEANS A CERT THAT EXPIRES BEFORE 1970 IS NOW POTENTIALLY VALID. Don't believe me? Generate a certificate that computes as 0xfffffff time_t on 32-bit and you win. Really, you do! If they care about portability, they should revert this change. ps: I'm only replying to this because it arrived before I added you to my killfile. Expect no further replies from me. William --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---