On 25 Apr 2014, at 09:16, Matthias Gamsjager <mgamsjager_at_gmail.com> wrote: > Isn't the latest news that Google&co and the linux foundation setup a > construction that these vital opensource projects get the proper > funding. Meaning more man power and hopefully less bugs Yes, there's effort to improve OpenSSL from there, there's the LibreSSL project from OpenBSD and there's a from-scratch reimplementation of SSL in the Cambridge Computer Lab that's intended for easy verification[1], and Apple's CommonCrypto (which, in light of goto fail, might not be the best choice), so there are going to be a lot of choices in time for 11. There are very few users of OpenSSL in the base system (7, I think), so rewriting them to use less error-prone APIs would be feasible - a 100% OpenSSL-compatible API is not necessarily a requirement for a base-system SSL library. so_at_ and secteam_at_ get to make the final call on what we should be shipping, because they're the ones that will have to suffer from the fallout the next time there's a vulnerability. David [1] It's written in OCaml, but can have C APIs and can probably be compiled into C. C that is machine generated from a typesafe language is a lot less likely to contain memory management bugs than C that is generated by a human...Received on Fri Apr 25 2014 - 06:41:55 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:48 UTC