[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-devel
Subject: Re: openssl transition
From: Pau Garcia i Quiles <pgquiles () elpauer ! org>
Date: 2016-10-30 21:23:08
Message-ID: CAKcBoksVR25V=bWQWowVEvLtRwhL7TW4nZYOWFQsSTAcp1fx+g () mail ! gmail ! com
[Download RAW message or body]
On Thu, Oct 27, 2016 at 2:39 PM, Antti Järvinen <antti.jarvinen@katiska.org>
wrote:
> While patching -DOPENSSL_API_COMPAT=0x10100000L will help a lot but
> code changes are still required in addition to this flag, many
> applications allocate OpenSSL data-structures in stack and this is not
> supported any more, regardless of -DOPENSSL_API_COMPAT.
>
>
This whole "let's shove OpenSSL 1.1 down your throat" is a very bad idea,
IMHO.
My upstreams (witty and ace) have no plans to support OpenSSL 1.1 in the
next months.
I do not have enough knowledge with OpenSSL to feel comfortable with my
patches. I may end up rendering the software insecure.
Does anyone remember the OpenSSL PRNG incident 10 years ago? Are we trying
to repeat it?
https://www.schneier.com/blog/archives/2008/05/random_number_b.html
Really, this does look like a huge mistake. Packagers will produce patches
that will generate suboptimal, if not straight insecure, software just for
their packages not to be removed, and/or to stop those "hey hey, RC bug on
you!" mails. Please, delay the "only 1.1 migration" for 1 year.
--
Pau Garcia i Quiles
http://www.elpauer.org
[Attachment #3 (text/html)]
<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Oct \
27, 2016 at 2:39 PM, Antti Järvinen <span dir="ltr"><<a \
href="mailto:antti.jarvinen@katiska.org" \
target="_blank">antti.jarvinen@katiska.org</a>></span> wrote:<br><br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"> <br>
While patching -DOPENSSL_API_COMPAT=<wbr>0x10100000L will help a lot but<br>
code changes are still required in addition to this flag, many<br>
applications allocate OpenSSL data-structures in stack and this is not<br>
supported any more, regardless of -DOPENSSL_API_COMPAT.<br>
<br></blockquote><br></div><div class="gmail_quote">This whole "let's shove \
OpenSSL 1.1 down your throat" is a very bad idea, IMHO.<br><br></div><div \
class="gmail_quote">My upstreams (witty and ace) have no plans to support OpenSSL 1.1 \
in the next months. <br><br>I do not have enough knowledge with OpenSSL to feel \
comfortable with my patches. I may end up rendering the software insecure. \
<br><br>Does anyone remember the OpenSSL PRNG incident 10 years ago? Are we trying to \
repeat it?<br><a href="https://www.schneier.com/blog/archives/2008/05/random_number_b.html">https://www.schneier.com/blog/archives/2008/05/random_number_b.html</a><br \
clear="all"></div><br></div><div class="gmail_extra">Really, this does look like a \
huge mistake. Packagers will produce patches that will generate suboptimal, if not \
straight insecure, software just for their packages not to be removed, and/or to stop \
those "hey hey, RC bug on you!" mails. Please, delay the "only 1.1 \
migration" for 1 year. <br></div><div class="gmail_extra"><br></div><div \
class="gmail_extra">-- <br><div class="gmail_signature">Pau Garcia i Quiles<br><a \
href="http://www.elpauer.org" target="_blank">http://www.elpauer.org</a><br></div> \
</div></div>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic