On 30.01.2017 14:09, Giancarlo Razzolini wrote:
Em janeiro 30, 2017 1:05 Allan McRae escreveu:
Please cite one example. Every CVE I have seen that is of at least
high severity has affected both. There have been some low severity
ones
only affecting openssl.
Even worse, the fix time for libressl in the couple of issues I
monitored was worse than openssl.
I don't have a ready list, but I can make one, sure. One thing I can
say
is that it wasn't *every*[0] high/critical CVE that affected both
libraries.
And yes, I presume fix time will be somewhat worse than OpenSSL's,
because
it is a portable version of a library mainly focused on OpenBSD.
As I said, it is a suggestion for us to consider instead of going
OpenSSL 1.1
way. Both will be hard, but I think in the end we would be better off
using
LibreSSL.
Cheers,
Giancarlo Razzolini
[0] https://en.wikipedia.org/wiki/LibreSSL
For now I'd like to keep openssl. This might change when upstream
projects might switch to libressl. ATM I do not see an objective reason
to do so. If it is a drop in replacement a separate package could be
provided.
Greetings,
Pierre
--
Pierre Schmitz, https://pierre-schmitz.com