Ariadne Conill
Follow

these bugs induced by openssl 3 are so exhausting

· · 1 · 0 · 6
keschi, now with covid :blobCat_in_box:

@ariadne i love having an application crash because checks notes the CPU supports vector instructions

1
Charlotte 🦝

@kescher @ariadne have they not tested it

1
Ariadne Conill

@lotte @kescher not exhaustively, but hey, they are bullying distros into taking it by revoking maintenance of openssl 1.1 :)

1+
keschi, now with covid :blobCat_in_box:

@ariadne I'm dreading the day this task gets completed archlinux.org/todo/openssl-30/ @lotte

0
Haelwenn /элвэн/ :triskell:
@ariadne @lotte @kescher Are they not aware of how many bugs openssl-3 is creating?

ie. https://bugs.gentoo.org/show_bug.cgi?id=797325
1
keschi, now with covid :blobCat_in_box:

@lanodan they are, but apparently they think they can just do this shit now that they're the de-facto standard crypto library, especially for TLS @lotte @ariadne

1+
Haelwenn /элвэн/ :triskell:
@kescher @lotte @ariadne I guess they didn't learn from say python2.
1
Ariadne Conill

@lanodan @kescher @lotte

I can't wait until some sort of critical infrastructure gets hacked because of the sloppy work by the OpenSSL team

1+
Haelwenn /элвэн/ :triskell:
@ariadne @kescher @lotte Well, we've already been there many times.
1
Ariadne Conill

@lanodan @kescher @lotte

look, I just want to see the OpenSSL team have to explain themselves to Congress

1
Ariadne Conill

@lanodan @kescher @lotte

especially the lady who wrote "solarwinds123" on a post-it and then ripped on the CEO because some intern had that as a password

0
Charlotte 🦝

@ariadne @lanodan @kescher maybe it is time for a smaller and leaner ssl library that has none of the legacy nonsense and all of the modern goodies

1
Haelwenn /элвэн/ :triskell:
@lotte @ariadne @kescher *handwaves at mbedtls and BearSSL*
0
Be

@kescher @lanodan @lotte @ariadne rustls is a thing... of course I know projects can't just switch to it easily, but there are alternatives to OpenSSL

1
Ariadne Conill

@be @kescher @lanodan @lotte

rustls + ring ain't it, sorry

1
Haelwenn /элвэн/ :triskell:
@ariadne @be @kescher @lotte Specially as C code using cryptography and SSL isn't going away.
1
Be

@lanodan @kescher @lotte @ariadne TIL ring's build.rs compiles some C forked from BoringSSL

1+
Haelwenn /элвэн/ :triskell:
@be @kescher @lotte @ariadne Ewww.

Enjoy the GPL-incompatible license of BoringSSL I guess :]
1+
Haelwenn /элвэн/ :triskell:
@be @ariadne @kescher @lotte 
~/Sources/git/git.gentoo.org/repo/proj/guru $ git grep -l '\bring-' | grep .ebuild | xargs grep LICENSE | grep GPL
dev-util/fnm/fnm-1.31.0-r2.ebuild:LICENSE="Apache-2.0 BSD GPL-3 ISC MIT MPL-2.0"
games-engines/luxtorpeda/luxtorpeda-25.0.0.ebuild:LICENSE="GPL-2 BSD Apache-2.0 BSD-2 ISC MIT MPL-2.0 Unlicense"
games-rpg/airshipper/airshipper-0.7.0-r1.ebuild:LICENSE="Apache-2.0 BSD BSL-1.1 GPL-3 ISC MIT MPL-2.0 OFL-1.1 ZLIB"
net-misc/peertube-viewer-rs/peertube-viewer-rs-1.8.4-r1.ebuild:LICENSE="AGPL-3"
0
Ariadne Conill

@lanodan @kescher @be @lotte

it should be noted that the OpenSSL 3 relicense is legally dubious

1
Be

@ariadne @lanodan @kescher @lotte How so?

0
Charlotte 🦝

@lanodan @kescher @be @ariadne it uses the same license as openssl 1 though with ISC added, if the openssl+ssleay license was a problem then boringssl wouldn’t be the first library to hit this

1
Haelwenn /элвэн/ :triskell:
@lotte @kescher @be @ariadne It's not.
I think GnuTLS existence is effectively because of that incompatibility with OpenSSL's licensing with the GPL.

Also for a real life example of BoringSSL licensing issue: https://wpewebkit.org/about/faq.html#what%E2%80%99s-the-status-regarding-webrtc%3F
1
geometric quinngebra theorem
@lanodan @lotte @ariadne @be @kescher we use bearssl over here :youmusmug:
0
Ariadne Conill

@be @lanodan @kescher @lotte

ring is just basically "we took boringssl libcrypto and pretend it's memory safe"

also, the maintainer is a jerk

1
Ariadne Conill

@be @lanodan @kescher @lotte

while i am sure that it is hard to screw up the memory safety of a block cipher, there are things in ring where you can't just handwave in memory safety like that.

1
Be

@ariadne @lanodan @kescher @lotte welp this is an interesting discussion github.com/libp2p/rust-libp2p/ 🍿

1
Be

@ariadne @lanodan @kescher @lotte hot damn the ring maintainer is an asshole github.com/briansmith/ring/iss

0
Sign in to participate in the conversation
Treehouse Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!

Trending now

Resources

Developers

What is Mastodon?

treehouse.systems

More…

v3.5.3+glitch · Privacy policy