Re: [arch-dev-public] OpenSSL 1.1.0

[Pierre Schmitz]

On 29.01.2017 21:49, Pierre Schmitz wrote:

Hi,

I'd like to propose a migration to OpenSSL 1.1. The update comes with
ABI and API changes. Every linked packages needs to be rebuild. There
will likely be broken packages. Once the protobuf* rebuild has left
the [staging] repo I would like to upload a first set of OpenSSL 1.1
packages.

I have created a todo list of packages that either have a direct
dependency on openssl or link to libssl.so.1.0.0 or
libcrypto.so.1.0.0:
  https://www.archlinux.org/todo/openssl-110-rebuild/


I will push the first set of packages to [staging]. Please avoid doing 
other rebuilds until this one is done.


Greetings,

Pierre

--
Pierre Schmitz, https://pierre-schmitz.com

Re: [arch-dev-public] OpenSSL 1.1.0

[Pierre Schmitz]

On 30.01.2017 14:09, Giancarlo Razzolini wrote:

Em janeiro 30, 2017 1:05 Allan McRae escreveu:


Please cite one example.   Every CVE I have seen that is of at least
high severity has affected both.  There have been some low severity 
ones

only affecting openssl.

Even worse, the fix time for libressl in the couple of issues I
monitored was worse than openssl.



I don't have a ready list, but I can make one, sure. One thing I can 
say
is that it wasn't *every*[0] high/critical CVE that affected both 
libraries.


And yes, I presume fix time will be somewhat worse than OpenSSL's, 
because

it is a portable version of a library mainly focused on OpenBSD.

As I said, it is a suggestion for us to consider instead of going 
OpenSSL 1.1
way. Both will be hard, but I think in the end we would be better off 
using

LibreSSL.

Cheers,
Giancarlo Razzolini

[0] https://en.wikipedia.org/wiki/LibreSSL


For now I'd like to keep openssl. This might change when upstream 
projects might switch to libressl. ATM I do not see an objective reason 
to do so. If it is a drop in replacement a separate package could be 
provided.


Greetings,

Pierre

--
Pierre Schmitz, https://pierre-schmitz.com