openssl vs. libressl

[Michael]

On 2015-11-13, at 1:33 AM, René J.V. Bertin <rjvbertin at gmail.com> wrote:
> Telling it to "stop using them" is not unlike telling Apple they should stop shipping anything but the latest version of a whole range of things shipped with the OS (python comes to mind). There's a responsibility to ensure that users who do not know better aren't forced to rely on outdated security mechanisms, not a hard obligation to know better and protect all users against every possibly foolish thing they might use the software for.

The reality is, Apple does remove things that are broken, without replacing them with something else with the same / fixed functionality. Look at the last security update -- there were a few things that had the resolution of "removed X".

We've had too many problems from broken networking software giving privilege escalations or loss of privacy/security. Saying "This is broken and must be replaced" is appropriate -- especially, as people are saying, after 20 years.

If QT really is using something that is known to be broken, then QT is broken.
There is no other viewpoint that will get rid of broken, insecure software -- and we've had too many lessons over the years of what happens with insecure software.

(Do I really need to mention the worst case I know of, voting machine software that had wireless enabled with a default password and no real protections or logging? To the point that someone could just copy over the voting file, replace the data, copy it back, and no one could tell?)

---
Entertaining minecraft videos
http://YouTube.com/keybounce