X-Original-To: alpine-devel@lists.alpinelinux.org Received: from mail-qk0-f196.google.com (mail-qk0-f196.google.com [209.85.220.196]) by lists.alpinelinux.org (Postfix) with ESMTP id 6A8685C4E41 for ; Thu, 8 Feb 2018 19:15:34 +0000 (GMT) Received: by mail-qk0-f196.google.com with SMTP id c4so4735808qkm.2 for ; Thu, 08 Feb 2018 11:15:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dereferenced-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=VxHU8HlcYyaSjKSEaES6AkL+3lYsEt1POYbSATUrTjg=; b=lTcVrphB9EAhfWtcaq/vHSV2S15AgFKskXKQFEjhYSggKHNBxC/zhcxhlUgZRkk+tN c5+Pk6GAhlTwBbyZXkPsUrF85RIlgKKUcAl7raGVZU61GFwL7tYbnLvQCjbE2ckU/K+j pLO8D537+QTzQCT68E965Sy+ykWX6XGCGRAVyXEoEkApoyUAFHZdDqODW//i/miU9VL8 mYTqrsabOgBKNE2yxzsb4vn1FpTH20lvMp52qI+J7el0EJ7mzBkvmVGsWB6JAQcAQL9d tS3W3qD+2lMyCxpEgTuus/e6Zm/ODaK9gkyYtbCPNiboNgMxfR6iQIlHenwND9xY4fU2 ab4g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=VxHU8HlcYyaSjKSEaES6AkL+3lYsEt1POYbSATUrTjg=; b=cYViL0FYMTNacAY/CBCbSCL0Z/jWzMV17QC9xdVIx+E+sOcLp2T+Fl8MpWoG5FzlQe rBNmpHfBO/eJRPWd3ihHlT8mo/0LGdqqK0zn8tTzqTra817xdiJeAutC23rhmPWiW1nJ Ngm1MGAot938ExMHu83VLHtryenY+MCQm6MxUoRHZ2ZXGU9RoIj6ohCw+yIHN4nXVdCA TK4zqSbLui7wjiFa48oh6/96ys5b02cNxxJDa2t0khcmpSGeTRhjHW7bj/ZeVFYcAgP9 CNrNJvXTerU7KS1sFLyNVDSQiamr+FB8e+OLa6de0SUn7hAwuIYbDgZ/KqLEWBQoWl1a 6qaw== X-Gm-Message-State: APf1xPCHFUUeQVpdX4USxRKLFgTIfeP5p81D+OJ1R07HJVpHCLKbjMav Gq5m3r3R8JuenknwUCm6nrZdfhL2Vxq1u7paR8+jSA== X-Google-Smtp-Source: AH8x226IaxQ327YQBJE19rF5cZ9tgHOVsw66XmuojGAUWmOSHQrGN9lOA3syECs2vammYtqaE8nk5koCwQm7Zr/L/50= X-Received: by 10.55.71.87 with SMTP id u84mr71204qka.255.1518117334043; Thu, 08 Feb 2018 11:15:34 -0800 (PST) X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Received: by 10.200.39.100 with HTTP; Thu, 8 Feb 2018 11:15:33 -0800 (PST) In-Reply-To: <20180208181647.1e8e6eed@mechanicum.chadwicks.me.uk> References: <20180208181647.1e8e6eed@mechanicum.chadwicks.me.uk> From: William Pitcock Date: Thu, 8 Feb 2018 13:15:33 -0600 Message-ID: Subject: Re: [alpine-devel] Proposed change: openssl 1.1 as default system openssl implementation To: Kevin Chadwick Cc: alpine-dev Content-Type: text/plain; charset="UTF-8" Hello, On Thu, Feb 8, 2018 at 12:16 PM, Kevin Chadwick wrote: > On Thu, 8 Feb 2018 12:09:38 -0600 > > >> > openssl 1.1 has a different situation: Akamai and the Core >> > Infrastructure Initiative have come together to sponsor development >> > and maintenance of openssl since we switched, which means that >> > there's higher quality maintenance occuring now. >> >> This is good to hear, I didn't know about Akamai's involvement. > > I am fairly sure that funding was never a real issue and certainly not > one that could explain heartbleed. Heartbleed is explained by the support for custom allocators in combination with their own custom allocator. This functionality was disabled in Alpine's openssl packaging prior to Heartbleed disclosure and was ultimately removed upstream. Much like other distributions, we actually do look at our security-critical code and make security-conscious decisions. As far as funding goes, when your funding comes from consulting contracts (adding new things to a product), then a majority of your resources go towards adding new features. The Akamai and CII funding is explicitly for dedicated maintenance so that there is not a capitalistic inversion of priorities. > Akamai is probably also one of the lead reasons why people think > websites are secure when they are not necessarily too (akamai cert for > akamai server for download of acme.exe). Simplicity, cost issue? I would argue Cloudflare is a larger offender there. William --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---