Follow

these bugs induced by openssl 3 are so exhausting

@ariadne i love having an application crash because checks notes the CPU supports vector instructions

@lotte @kescher not exhaustively, but hey, they are bullying distros into taking it by revoking maintenance of openssl 1.1 :)

@lanodan they are, but apparently they think they can just do this shit now that they're the de-facto standard crypto library, especially for TLS @lotte @ariadne

@lanodan @kescher @lotte

I can't wait until some sort of critical infrastructure gets hacked because of the sloppy work by the OpenSSL team

@lanodan @kescher @lotte

look, I just want to see the OpenSSL team have to explain themselves to Congress

@lanodan @kescher @lotte

especially the lady who wrote "solarwinds123" on a post-it and then ripped on the CEO because some intern had that as a password

@ariadne @lanodan @kescher maybe it is time for a smaller and leaner ssl library that has none of the legacy nonsense and all of the modern goodies

@kescher @lanodan @lotte @ariadne rustls is a thing... of course I know projects can't just switch to it easily, but there are alternatives to OpenSSL

@lanodan @kescher @lotte @ariadne TIL ring's build.rs compiles some C forked from BoringSSL

@be @ariadne @kescher @lotte
~/Sources/git/git.gentoo.org/repo/proj/guru $ git grep -l '\bring-' | grep .ebuild | xargs grep LICENSE | grep GPL
dev-util/fnm/fnm-1.31.0-r2.ebuild:LICENSE="Apache-2.0 BSD GPL-3 ISC MIT MPL-2.0"
games-engines/luxtorpeda/luxtorpeda-25.0.0.ebuild:LICENSE="GPL-2 BSD Apache-2.0 BSD-2 ISC MIT MPL-2.0 Unlicense"
games-rpg/airshipper/airshipper-0.7.0-r1.ebuild:LICENSE="Apache-2.0 BSD BSL-1.1 GPL-3 ISC MIT MPL-2.0 OFL-1.1 ZLIB"
net-misc/peertube-viewer-rs/peertube-viewer-rs-1.8.4-r1.ebuild:LICENSE="AGPL-3"

@lanodan @kescher @be @lotte

it should be noted that the OpenSSL 3 relicense is legally dubious

@lanodan @kescher @be @ariadne it uses the same license as openssl 1 though with ISC added, if the openssl+ssleay license was a problem then boringssl wouldn’t be the first library to hit this

@lotte @kescher @be @ariadne It's not.
I think GnuTLS existence is effectively because of that incompatibility with OpenSSL's licensing with the GPL.

Also for a real life example of BoringSSL licensing issue: https://wpewebkit.org/about/faq.html#what%E2%80%99s-the-status-regarding-webrtc%3F

@be @lanodan @kescher @lotte

ring is just basically "we took boringssl libcrypto and pretend it's memory safe"

also, the maintainer is a jerk

@be @lanodan @kescher @lotte

while i am sure that it is hard to screw up the memory safety of a block cipher, there are things in ring where you can't just handwave in memory safety like that.

Sign in to participate in the conversation
Treehouse Mastodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!