LibreSSL and OpenSSL and *SSL
Jan Stary
hans at stare.cz
Wed Feb 28 18:06:34 UTC 2018
> On Feb 16 20:15:04, notifications at github.com wrote:
> > OpenSSL was once undersupported because they didn't have funds
> > to have full time staff doing development and maintenance.
> > That ended a long time ago after Heartbleed.
> > The project is now fully funded and has excellent people working on it.
https://marc.info/?l=openbsd-misc&m=151974573718360&w=2
> Now we get to the real thing: LibreSSL is better.
>
> For those who actually care: please do watch the original
> talks and slides about why LibreSSL even exists:
>
> https://www.youtube.com/watch?v=GnBbhXBDmwU
> https://www.openbsd.org/papers/bsdcan14-libressl/
>
> https://www.youtube.com/watch?v=WFMYeMNCcSY
> https://www.openbsd.org/papers/eurobsdcon2014-libressl.html
>
> Yes, that's almost four years ago. So how much of the
> attrocities mentioned in the above have been fixed?
> Does it still use its own OPENSSL_malloc() that never frees?
> Does it still use its own OPENSSL_strfoo() that is almost,
> but not quite, indetical to the usual, well defined strfoo(3)?
> Has the depth of the #ifdef/#ifndef maze dropped from 17?
> Are the security vulnerabilities still rotting in the bug DB for years?
> Is it still impossible to enter the codebase from outside
> without untangling it for weeks?
>
> The LibreSSL developers state explicitly that heartbleed
> was not why they started their fork. It was things like these.
> https://www.tedunangst.com/flak/post/origins-of-libressl
More information about the macports-dev
mailing list