Date: Sat, 28 Oct 2017 07:31:32 -0500 From: Benjamin Kaduk <bjk@freebsd.org> To: Poul-Henning Kamp <phk@phk.freebsd.dk> Cc: Ben Laurie <ben@links.org>, Eric McCorkle <eric@metricspace.net>, "freebsd-security@freebsd.org security" <freebsd-security@freebsd.org>, "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org>, "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org> Subject: Re: Crypto overhaul Message-ID: <20171028123132.GF96685@kduck.kaduk.org> In-Reply-To: <23376.1509177812@critter.freebsd.dk> References: <dc08792a-3215-611c-eb9f-4936a0d621f9@metricspace.net> <CAG5KPzws=jmF2wLeEAz8Lzn7Ugude=0w5neoQjeDjYnGtJpS9Q@mail.gmail.com> <13959.1509132270@critter.freebsd.dk> <CAG5KPzxGtAwV-svCv24FbZtLvxKCwX7OSyb2pPaTc63EUmFFGA@mail.gmail.com> <20171028022557.GE96685@kduck.kaduk.org> <23376.1509177812@critter.freebsd.dk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Oct 28, 2017 at 08:03:32AM +0000, Poul-Henning Kamp wrote: > -------- > In message <20171028022557.GE96685@kduck.kaduk.org>, Benjamin Kaduk writes: > > >But I think the main issue with OpenSSL in base that was leading to > >thoughts about replacing it is the mismatch between FreeBSD release > >branch support lifecycles and OpenSSL release branch support lifecycles. > > That's not why I want OpenSSL gone from the tree. > > My reason is that I think OpenSSLs architecture, (to the extent you > can talk about OpenSSL having one), APIs and the source code are > all horrible. Those are all fine reasons for an individual to want OpenSSL gone from the tree, and I can't really dispute any of them for the 1.0.x series. I would say that the 1.1.x series is less bad, especially on the last count, but don't know how much you've looked at the differences in the new branch. Regardless, the point I was intending to make is that, fine reasons those are, they in and of themselves may not be enough to overcome the weight of POLA for staying with OpenSSL. I do, however, remember a few years ago a Security Officer raising concerns about the support lifecycle mismatch, and in that context that reason does seem to be able to overcome the weight of POLA. That is, I was talking about history. We should of course make our own, fresh, decision about whether your reasons are currently enough to outweigh POLA, for the present discussion. -Ben
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20171028123132.GF96685>