[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-devel
Subject: Re: openssl transition
From: Pau Garcia i Quiles <pgquiles () elpauer ! org>
Date: 2016-10-30 21:23:08
Message-ID: CAKcBoksVR25V=bWQWowVEvLtRwhL7TW4nZYOWFQsSTAcp1fx+g () mail ! gmail ! com
[Download RAW message or body]
On Thu, Oct 27, 2016 at 2:39 PM, Antti Järvinen <antti.jarvinen@katiska.org>
wrote:
> While patching -DOPENSSL_API_COMPAT=0x10100000L will help a lot but
> code changes are still required in addition to this flag, many
> applications allocate OpenSSL data-structures in stack and this is not
> supported any more, regardless of -DOPENSSL_API_COMPAT.
>
>
This whole "let's shove OpenSSL 1.1 down your throat" is a very bad idea,
IMHO.
My upstreams (witty and ace) have no plans to support OpenSSL 1.1 in the
next months.
I do not have enough knowledge with OpenSSL to feel comfortable with my
patches. I may end up rendering the software insecure.
Does anyone remember the OpenSSL PRNG incident 10 years ago? Are we trying
to repeat it?
https://www.schneier.com/blog/archives/2008/05/random_number_b.html
Really, this does look like a huge mistake. Packagers will produce patches
that will generate suboptimal, if not straight insecure, software just for
their packages not to be removed, and/or to stop those "hey hey, RC bug on
you!" mails. Please, delay the "only 1.1 migration" for 1 year.
--
Pau Garcia i Quiles
http://www.elpauer.org
[Attachment #3 (text/html)]
<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On \
Thu, Oct 27, 2016 at 2:39 PM, Antti Järvinen <span dir="ltr"><<a \
href="mailto:antti.jarvinen@katiska.org" \
target="_blank">antti.jarvinen@katiska.org</a>></span> \
wrote:<br><br><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"> <br>
While patching -DOPENSSL_API_COMPAT=<wbr>0x10100000L will help a lot \
but<br> code changes are still required in addition to this flag, many<br>
applications allocate OpenSSL data-structures in stack and this is not<br>
supported any more, regardless of -DOPENSSL_API_COMPAT.<br>
<br></blockquote><br></div><div class="gmail_quote">This whole \
"let's shove OpenSSL 1.1 down your throat" is a very bad \
idea, IMHO.<br><br></div><div class="gmail_quote">My upstreams (witty and \
ace) have no plans to support OpenSSL 1.1 in the next months. <br><br>I do \
not have enough knowledge with OpenSSL to feel comfortable with my patches. \
I may end up rendering the software insecure. <br><br>Does anyone remember \
the OpenSSL PRNG incident 10 years ago? Are we trying to repeat it?<br><a \
href="https://www.schneier.com/blog/archives/2008/05/random_number_b.html">https://www.schneier.com/blog/archives/2008/05/random_number_b.html</a><br \
clear="all"></div><br></div><div class="gmail_extra">Really, this does look \
like a huge mistake. Packagers will produce patches that will generate \
suboptimal, if not straight insecure, software just for their packages not \
to be removed, and/or to stop those "hey hey, RC bug on you!" \
mails. Please, delay the "only 1.1 migration" for 1 year. \
<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">-- \
<br><div class="gmail_signature">Pau Garcia i Quiles<br><a \
href="http://www.elpauer.org" \
target="_blank">http://www.elpauer.org</a><br></div> </div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic