You are not logged in.

#1 2014-04-22 17:23:17

anadon
Member
Registered: 2012-08-08
Posts: 35

Should libreSSL replace openSSL?

I was reading up a little on openBDS's group cleaning up some of openSSL's mess as the libreSSL fork.  I'm not qualified or confident to say it should replace openSSL in the arch repo's, but I do think it is worth consideration.

http://www.libressl.org/

Offline

#2 2014-04-22 17:24:30

Inxsible
Forum Fellow
From: Chicago
Registered: 2008-06-09
Posts: 9,183

Re: Should libreSSL replace openSSL?

Not a technical question, moving to GNU/Linux Discussion.


Forum Rules

There's no such thing as a stupid question, but there sure are a lot of inquisitive idiots !

Offline

#3 2014-04-22 18:04:34

x33a
Forum Fellow
Registered: 2009-08-15
Posts: 4,587

Re: Should libreSSL replace openSSL?

Considering that LibreSSL is neither GNU related (not even the license), nor intended to be available for Linux in the short term, I would say this thread only fits off-topic, for now at least tongue

Offline

#4 2014-04-22 20:32:44

Jristz
Member
From: America/Santiago
Registered: 2011-06-11
Posts: 1,022

Re: Should libreSSL replace openSSL?

I think is not momment for thing in if a replacenment.
First ask you 'some distro use it?', 'Some mainstream distro use it?', 'really libreSSL is a drop in replacenment for openssl?' and 'Other programs that depend on openssl can build againt libressl?'.
When almos 3 of these question reach a positive, then is time to discuss about it.
otherwise is so early.


Well, I suppose that this is somekind of signature, no?

Offline

#5 2014-04-22 20:36:47

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,362

Re: Should libreSSL replace openSSL?

But is Arch's OpenSSL broken?  Does anybody know?


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#6 2014-04-22 22:01:49

fschiff
Member
Registered: 2011-10-06
Posts: 71

Re: Should libreSSL replace openSSL?

If you've read about openSSL (http://opensslrampage.org/ is posting about the cleanup process), its clear that its full of crufty code, bad engineering, lots of bugs and has no one at the helm.  Since its a vital piece of internet technology, its not quite very very scary.

Offline

#7 2014-04-22 22:54:19

Allan
Pacman
From: Brisbane, AU
Registered: 2007-06-09
Posts: 11,365
Website

Re: Should libreSSL replace openSSL?

We don't make reactionary decisions on such a core piece of software.  LibreSSL has removed functionality that will be required by RedHat et al, so some of this work will need to be done (merged?) in OpenSSL.  I'd wait and see happens.

Offline

#8 2014-04-23 06:39:16

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: Should libreSSL replace openSSL?

nomorewindows wrote:

But is Arch's OpenSSL broken?  Does anybody know?

 % pacman -Q openssl
openssl 1.0.1.g-1

Version "g" is the "fixed" version --- just downloaded the new lubuntu 14.04: it uses a "broken" version!
smile

Offline

#9 2014-04-23 06:51:11

x33a
Forum Fellow
Registered: 2009-08-15
Posts: 4,587

Re: Should libreSSL replace openSSL?

Head_on_a_Stick wrote:
nomorewindows wrote:

But is Arch's OpenSSL broken?  Does anybody know?

 % pacman -Q openssl
openssl 1.0.1.g-1

Version "g" is the "fixed" version --- just downloaded the new lubuntu 14.04: it uses a "broken" version!
smile

No it does not, assuming you are talking about 1.0.1f-1ubuntu2, it is a patched version. See the changelog.

Offline

#10 2014-04-23 06:59:07

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: Should libreSSL replace openSSL?

My mistake --- sorry Mr. Shuttleworth hmm

Offline

#11 2014-04-23 07:01:17

mpan
Member
Registered: 2012-08-01
Posts: 1,188
Website

Re: Should libreSSL replace openSSL?

I don't trust people, who use Comic Sans.

OpenSSL devs did many mistakes. There is no doubt some of these were pretty serious and led to You know what. But switching libraries just because a major failure has happened recently is not a good idea. I would even say that time near such events is when no big decisions should be taken. Just let future unfold and see what it brings.

Everyone is free to become package maintainer in AUR. AUR allows users to vote on packages. For now I don't even see LibreSSL there, not mentioning any substantial number of votes.


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#12 2014-04-23 07:08:55

Ziusudra
Member
Registered: 2014-04-19
Posts: 120

Re: Should libreSSL replace openSSL?

mpan wrote:

Everyone is free to become package maintainer in AUR. AUR allows users to vote on packages. For now I don't even see LibreSSL there, not mentioning any substantial number of votes.

It's not there because it is not ready for use. It will be months before it is even ready for use on OpenBSD, months after that it might be ported to Linux.

So this thread is about what color to paint a bikeshed that doesn't exist.

Offline

#13 2014-04-23 07:09:47

Scimmia
Fellow
Registered: 2012-09-01
Posts: 11,463

Re: Should libreSSL replace openSSL?

Considering it doesn't even run on Linux, I don't know what this discussion is about.

Last edited by Scimmia (2014-04-23 07:11:33)

Offline

#14 2014-04-23 07:58:28

fredbezies
Member
Registered: 2011-07-28
Posts: 352

Re: Should libreSSL replace openSSL?

And OpenBSD team wants to use it in OpenBSD 5.6, not before. So it will be used by them in november release.

Offline

#15 2014-04-23 13:08:16

drcouzelis
Member
From: Connecticut, USA
Registered: 2009-11-09
Posts: 4,092
Website

Re: Should libreSSL replace openSSL?

mpan wrote:

I don't trust people, who use Comic Sans.

http://www.libressl.org/ wrote:

This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags.

smile

Offline

#16 2014-04-24 05:28:13

Ibex
Member
Registered: 2006-03-02
Posts: 135

Re: Should libreSSL replace openSSL?

I like the idea that some guys stood up and start cleaning out the messy code that OpenSSL seems to be. However, the complete "we don't like the old guys, we just fork, rename and start another branch that will just end up making things even more complex" thing, I don't like. I would have loved it when they just contributed bugfixes and proposing cleanups. What bugs will get introduced when they need to port this back to Linux.

But no, it should not replace OpenSSL. Maybe in the future, but I doubt.

Offline

#17 2014-04-24 16:04:44

Janarto
Member
From: Paris
Registered: 2008-09-23
Posts: 80

Re: Should libreSSL replace openSSL?

The Linux Foundation just announced a by collaboration and funding effort to improve openssl after the heartbleed breach :

http://www.linuxfoundation.org/news-med … -ibm-intel

The Core Infrastructure Initiative is a multi-million dollar project organized by The Linux Foundation to fund open source projects that are in the critical path for core computing and Internet functions. Galvanized by the Heartbleed OpenSSL crisis, the Initiative’s funds will be administered by The Linux Foundation and a steering group comprised of backers of the project as well as key open source developers and other industry stakeholders. Support from the initiative will include funding for fellowships for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support

Last edited by Janarto (2014-04-24 16:08:59)

Offline

#18 2014-04-24 22:09:43

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Should libreSSL replace openSSL?

I'm not a gamer, but I've read that you nowadays pay to participate in beta / early access i.e. you help improve the game and pay for that privilege. Maybe the same method could be applied here ;P

Offline

#19 2014-04-29 06:35:25

Head_on_a_Stick
Member
From: London
Registered: 2014-02-20
Posts: 7,680
Website

Re: Should libreSSL replace openSSL?

Portable framework for building libressl outside of the OpenBSD tree:
https://github.com/busterb/libressl

Offline

#20 2014-06-01 19:11:23

cammyman50
Member
Registered: 2014-06-01
Posts: 48

Re: Should libreSSL replace openSSL?

One problem with OpenSSL and people have got to fork it. I don't see the point.

Offline

#21 2014-06-01 19:19:48

Psykorgasm
Member
Registered: 2011-11-24
Posts: 177

Re: Should libreSSL replace openSSL?

cammyman50 wrote:

One problem with OpenSSL and people have got to fork it. I don't see the point.

Seems to mostly be emotional reaction, which as always is not particularly useful or interesting.

Offline

#22 2014-06-01 19:32:12

mpan
Member
Registered: 2012-08-01
Posts: 1,188
Website

Re: Should libreSSL replace openSSL?

The problem is it's not "one problem".

By saying "one" you are probably referring to You know what. But this way you're missing the point. It's not the You know what bug that makes people want to switch. Everyone knows bugs happen from time to time. It is expected that not only OpenSSL but also competiton and various other software still contains lots of critical ones. The reason of criticism towards OpenSSL and attempts to switch are devs' choices that led to You know what. Something that can't be fixed by applying a simple patch. Choices that should have never been done. This is the reason of all the rants the bug has spawned. Not the coder's mistake itself.

Nonetheless I have earlier expressed my dislike for idea to switch to another library. Even if this is a way to go, switching in haste smells.


Sometimes I seem a bit harsh — don’t get offended too easily!

Offline

#23 2014-07-12 09:22:55

hussam
Member
Registered: 2006-03-26
Posts: 572
Website

Re: Should libreSSL replace openSSL?

If this happens, there needs to a big rebuild of packages. they did a big soname bump.
from 1.0.0 to 26

Offline

#24 2014-07-12 09:32:49

HiImTye
Member
From: Halifax, NS, Canada
Registered: 2012-05-09
Posts: 1,072

Re: Should libreSSL replace openSSL?

it wasn't the heartbeat exploit that was the problem, it was the design decisions that led to it - namely OpenSSL not letting the system handle memory pages, opting for OpenSSL to handle it on its' own, and to use a first in last out approach to it, all to benefit a handful of poorly designed hardware setups. without this decision, the exploit of heartbeat would have been negligable

also, the OpenBSD foundation was already making LibreSSL because of other issues with OpenSSL before the Heartbeat exploit was even known about

Last edited by HiImTye (2014-07-12 09:33:52)

Offline

#25 2014-07-12 15:41:50

lolilolicon
Member
Registered: 2009-03-05
Posts: 1,722

Re: Should libreSSL replace openSSL?


This silver ladybug at line 28...

Offline

Board footer

Powered by FluxBB