Should libreSSL replace openSSL?

anadon · 2014-04-22 17:23:17

I was reading up a little on openBDS's group cleaning up some of openSSL's mess as the libreSSL fork. I'm not qualified or confident to say it should replace openSSL in the arch repo's, but I do think it is worth consideration.

http://www.libressl.org/

Inxsible · 2014-04-22 17:24:30

Not a technical question, moving to GNU/Linux Discussion.

x33a · 2014-04-22 18:04:34

Considering that LibreSSL is neither GNU related (not even the license), nor intended to be available for Linux in the short term, I would say this thread only fits off-topic, for now at least

Jristz · 2014-04-22 20:32:44

I think is not momment for thing in if a replacenment.
First ask you 'some distro use it?', 'Some mainstream distro use it?', 'really libreSSL is a drop in replacenment for openssl?' and 'Other programs that depend on openssl can build againt libressl?'.
When almos 3 of these question reach a positive, then is time to discuss about it.
otherwise is so early.

nomorewindows · 2014-04-22 20:36:47

But is Arch's OpenSSL broken? Does anybody know?

fschiff · 2014-04-22 22:01:49

If you've read about openSSL (http://opensslrampage.org/ is posting about the cleanup process), its clear that its full of crufty code, bad engineering, lots of bugs and has no one at the helm. Since its a vital piece of internet technology, its not quite very very scary.

Allan · 2014-04-22 22:54:19

We don't make reactionary decisions on such a core piece of software. LibreSSL has removed functionality that will be required by RedHat et al, so some of this work will need to be done (merged?) in OpenSSL. I'd wait and see happens.

Head_on_a_Stick · 2014-04-23 06:39:16

nomorewindows wrote:

But is Arch's OpenSSL broken? Does anybody know?

 % pacman -Q openssl
openssl 1.0.1.g-1

Version "g" is the "fixed" version --- just downloaded the new lubuntu 14.04: it uses a "broken" version!

x33a · 2014-04-23 06:51:11

Head_on_a_Stick wrote:

nomorewindows wrote:
But is Arch's OpenSSL broken? Does anybody know?
 % pacman -Q openssl
openssl 1.0.1.g-1
Version "g" is the "fixed" version --- just downloaded the new lubuntu 14.04: it uses a "broken" version!

No it does not, assuming you are talking about 1.0.1f-1ubuntu2, it is a patched version. See the changelog.

Head_on_a_Stick · 2014-04-23 06:59:07

My mistake --- sorry Mr. Shuttleworth

mpan · 2014-04-23 07:01:17

I don't trust people, who use Comic Sans.

OpenSSL devs did many mistakes. There is no doubt some of these were pretty serious and led to You know what. But switching libraries just because a major failure has happened recently is not a good idea. I would even say that time near such events is when no big decisions should be taken. Just let future unfold and see what it brings.

Everyone is free to become package maintainer in AUR. AUR allows users to vote on packages. For now I don't even see LibreSSL there, not mentioning any substantial number of votes.

Ziusudra · 2014-04-23 07:08:55

mpan wrote:

Everyone is free to become package maintainer in AUR. AUR allows users to vote on packages. For now I don't even see LibreSSL there, not mentioning any substantial number of votes.

It's not there because it is not ready for use. It will be months before it is even ready for use on OpenBSD, months after that it might be ported to Linux.

So this thread is about what color to paint a bikeshed that doesn't exist.

Scimmia · 2014-04-23 07:09:47

Considering it doesn't even run on Linux, I don't know what this discussion is about.

Last edited by Scimmia (2014-04-23 07:11:33)

fredbezies · 2014-04-23 07:58:28

And OpenBSD team wants to use it in OpenBSD 5.6, not before. So it will be used by them in november release.

drcouzelis · 2014-04-23 13:08:16

mpan wrote:

I don't trust people, who use Comic Sans.

http://www.libressl.org/ wrote:

This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags.

Ibex · 2014-04-24 05:28:13

I like the idea that some guys stood up and start cleaning out the messy code that OpenSSL seems to be. However, the complete "we don't like the old guys, we just fork, rename and start another branch that will just end up making things even more complex" thing, I don't like. I would have loved it when they just contributed bugfixes and proposing cleanups. What bugs will get introduced when they need to port this back to Linux.

But no, it should not replace OpenSSL. Maybe in the future, but I doubt.

Janarto · 2014-04-24 16:04:44

The Linux Foundation just announced a by collaboration and funding effort to improve openssl after the heartbleed breach :

http://www.linuxfoundation.org/news-med … -ibm-intel

The Core Infrastructure Initiative is a multi-million dollar project organized by The Linux Foundation to fund open source projects that are in the critical path for core computing and Internet functions. Galvanized by the Heartbleed OpenSSL crisis, the Initiative’s funds will be administered by The Linux Foundation and a steering group comprised of backers of the project as well as key open source developers and other industry stakeholders. Support from the initiative will include funding for fellowships for key developers to work full-time on open source projects, security audits, computing and test infrastructure, travel, face-to-face meeting coordination and other support

Last edited by Janarto (2014-04-24 16:08:59)

karol · 2014-04-24 22:09:43

I'm not a gamer, but I've read that you nowadays pay to participate in beta / early access i.e. you help improve the game and pay for that privilege. Maybe the same method could be applied here ;P

Head_on_a_Stick · 2014-04-29 06:35:25

Portable framework for building libressl outside of the OpenBSD tree:
https://github.com/busterb/libressl

cammyman50 · 2014-06-01 19:11:23

One problem with OpenSSL and people have got to fork it. I don't see the point.

Psykorgasm · 2014-06-01 19:19:48

cammyman50 wrote:

One problem with OpenSSL and people have got to fork it. I don't see the point.

Seems to mostly be emotional reaction, which as always is not particularly useful or interesting.

mpan · 2014-06-01 19:32:12

The problem is it's not "one problem".

By saying "one" you are probably referring to You know what. But this way you're missing the point. It's not the You know what bug that makes people want to switch. Everyone knows bugs happen from time to time. It is expected that not only OpenSSL but also competiton and various other software still contains lots of critical ones. The reason of criticism towards OpenSSL and attempts to switch are devs' choices that led to You know what. Something that can't be fixed by applying a simple patch. Choices that should have never been done. This is the reason of all the rants the bug has spawned. Not the coder's mistake itself.

Nonetheless I have earlier expressed my dislike for idea to switch to another library. Even if this is a way to go, switching in haste smells.

hussam · 2014-07-12 09:22:55

If this happens, there needs to a big rebuild of packages. they did a big soname bump.
from 1.0.0 to 26

HiImTye · 2014-07-12 09:32:49

it wasn't the heartbeat exploit that was the problem, it was the design decisions that led to it - namely OpenSSL not letting the system handle memory pages, opting for OpenSSL to handle it on its' own, and to use a first in last out approach to it, all to benefit a handful of poorly designed hardware setups. without this decision, the exploit of heartbeat would have been negligable

also, the OpenBSD foundation was already making LibreSSL because of other issues with OpenSSL before the Heartbeat exploit was even known about

Last edited by HiImTye (2014-07-12 09:33:52)

lolilolicon · 2014-07-12 15:41:50

relevant
http://devsonacid.wordpress.com/2014/07 … -libressl/

Arch Linux

#1 2014-04-22 17:23:17

Should libreSSL replace openSSL?

#2 2014-04-22 17:24:30

Re: Should libreSSL replace openSSL?

#3 2014-04-22 18:04:34

Re: Should libreSSL replace openSSL?

#4 2014-04-22 20:32:44

Re: Should libreSSL replace openSSL?

#5 2014-04-22 20:36:47

Re: Should libreSSL replace openSSL?

#6 2014-04-22 22:01:49

Re: Should libreSSL replace openSSL?

#7 2014-04-22 22:54:19

Re: Should libreSSL replace openSSL?

#8 2014-04-23 06:39:16

Re: Should libreSSL replace openSSL?

#9 2014-04-23 06:51:11

Re: Should libreSSL replace openSSL?

#10 2014-04-23 06:59:07

Re: Should libreSSL replace openSSL?

#11 2014-04-23 07:01:17

Re: Should libreSSL replace openSSL?

#12 2014-04-23 07:08:55

Re: Should libreSSL replace openSSL?

#13 2014-04-23 07:09:47

Re: Should libreSSL replace openSSL?

#14 2014-04-23 07:58:28

Re: Should libreSSL replace openSSL?

#15 2014-04-23 13:08:16

Re: Should libreSSL replace openSSL?

#16 2014-04-24 05:28:13

Re: Should libreSSL replace openSSL?

#17 2014-04-24 16:04:44

Re: Should libreSSL replace openSSL?

#18 2014-04-24 22:09:43

Re: Should libreSSL replace openSSL?

#19 2014-04-29 06:35:25

Re: Should libreSSL replace openSSL?

#20 2014-06-01 19:11:23

Re: Should libreSSL replace openSSL?

#21 2014-06-01 19:19:48

Re: Should libreSSL replace openSSL?

#22 2014-06-01 19:32:12

Re: Should libreSSL replace openSSL?

#23 2014-07-12 09:22:55

Re: Should libreSSL replace openSSL?

#24 2014-07-12 09:32:49

Re: Should libreSSL replace openSSL?

#25 2014-07-12 15:41:50

Re: Should libreSSL replace openSSL?

Board footer