From owner-freebsd-current@FreeBSD.ORG Fri Apr 25 08:41:55 2014 Return-Path: <owner-freebsd-current@FreeBSD.ORG> Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 414AEACE for <freebsd-current@freebsd.org>; Fri, 25 Apr 2014 08:41:55 +0000 (UTC) Received: from theravensnest.org (theraven.freebsd.your.org [216.14.102.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "cloud.theravensnest.org", Issuer "StartCom Class 1 Primary Intermediate Server CA" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 0C05212D3 for <freebsd-current@freebsd.org>; Fri, 25 Apr 2014 08:41:54 +0000 (UTC) Received: from [192.168.0.7] (cpc14-cmbg15-2-0-cust307.5-4.cable.virginm.net [82.26.1.52]) (authenticated bits=0) by theravensnest.org (8.14.7/8.14.7) with ESMTP id s3P8fpkr049011 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 25 Apr 2014 08:41:53 GMT (envelope-from theraven@FreeBSD.org) Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\)) Subject: Re: OpenSSL vs. LibreSSL (OpenBSD) From: David Chisnall <theraven@FreeBSD.org> In-Reply-To: <CA+D9Qhte7G4UZORiem9Mut9g8kDPGAuUd2ou6ZQgreqkfiy6Lw@mail.gmail.com> Date: Fri, 25 Apr 2014 09:41:45 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <81BF8B42-A98C-4A0E-BCBB-CA3A795AA980@FreeBSD.org> References: <20140424223540.627bf130.ohartman@zedat.fu-berlin.de> <535984EC.7050509@mu.org> <CAHSQbTDoDco9bX+gg9EE6x1Mo3pmyBsC8hbwUfFaYfyS4Qqvug@mail.gmail.com> <20140425033141.GB28939@lonesome.com> <CA+D9Qhte7G4UZORiem9Mut9g8kDPGAuUd2ou6ZQgreqkfiy6Lw@mail.gmail.com> To: Matthias Gamsjager <mgamsjager@gmail.com> X-Mailer: Apple Mail (2.1874) Cc: FreeBSD Current <freebsd-current@freebsd.org> X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org> List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-current>, <mailto:freebsd-current-request@freebsd.org?subject=unsubscribe> List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current/> List-Post: <mailto:freebsd-current@freebsd.org> List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help> List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, <mailto:freebsd-current-request@freebsd.org?subject=subscribe> X-List-Received-Date: Fri, 25 Apr 2014 08:41:55 -0000 On 25 Apr 2014, at 09:16, Matthias Gamsjager <mgamsjager@gmail.com> = wrote: > Isn't the latest news that Google&co and the linux foundation setup a > construction that these vital opensource projects get the proper > funding. Meaning more man power and hopefully less bugs Yes, there's effort to improve OpenSSL from there, there's the LibreSSL = project from OpenBSD and there's a from-scratch reimplementation of SSL = in the Cambridge Computer Lab that's intended for easy verification[1], = and Apple's CommonCrypto (which, in light of goto fail, might not be the = best choice), so there are going to be a lot of choices in time for 11. =20= There are very few users of OpenSSL in the base system (7, I think), so = rewriting them to use less error-prone APIs would be feasible - a 100% = OpenSSL-compatible API is not necessarily a requirement for a = base-system SSL library. =20 so@ and secteam@ get to make the final call on what we should be = shipping, because they're the ones that will have to suffer from the = fallout the next time there's a vulnerability. David [1] It's written in OCaml, but can have C APIs and can probably be = compiled into C. C that is machine generated from a typesafe language = is a lot less likely to contain memory management bugs than C that is = generated by a human...=