these bugs induced by openssl 3 are so exhausting

Follow

@ariadne i love having an application crash because checks notes the CPU supports vector instructions

· · Web · 1 · 0 · 2

@lotte @kescher not exhaustively, but hey, they are bullying distros into taking it by revoking maintenance of openssl 1.1 :)

@lanodan they are, but apparently they think they can just do this shit now that they're the de-facto standard crypto library, especially for TLS @lotte @ariadne

@lanodan @kescher @lotte

I can't wait until some sort of critical infrastructure gets hacked because of the sloppy work by the OpenSSL team

@lanodan @kescher @lotte

look, I just want to see the OpenSSL team have to explain themselves to Congress

@lanodan @kescher @lotte

especially the lady who wrote "solarwinds123" on a post-it and then ripped on the CEO because some intern had that as a password

@ariadne @lanodan @kescher maybe it is time for a smaller and leaner ssl library that has none of the legacy nonsense and all of the modern goodies

@kescher @lanodan @lotte @ariadne rustls is a thing... of course I know projects can't just switch to it easily, but there are alternatives to OpenSSL

@lanodan @kescher @lotte @ariadne TIL ring's build.rs compiles some C forked from BoringSSL

@be @ariadne @kescher @lotte
~/Sources/git/git.gentoo.org/repo/proj/guru $ git grep -l '\bring-' | grep .ebuild | xargs grep LICENSE | grep GPL
dev-util/fnm/fnm-1.31.0-r2.ebuild:LICENSE="Apache-2.0 BSD GPL-3 ISC MIT MPL-2.0"
games-engines/luxtorpeda/luxtorpeda-25.0.0.ebuild:LICENSE="GPL-2 BSD Apache-2.0 BSD-2 ISC MIT MPL-2.0 Unlicense"
games-rpg/airshipper/airshipper-0.7.0-r1.ebuild:LICENSE="Apache-2.0 BSD BSL-1.1 GPL-3 ISC MIT MPL-2.0 OFL-1.1 ZLIB"
net-misc/peertube-viewer-rs/peertube-viewer-rs-1.8.4-r1.ebuild:LICENSE="AGPL-3"

@lanodan @kescher @be @lotte

it should be noted that the OpenSSL 3 relicense is legally dubious

@lanodan @kescher @be @ariadne it uses the same license as openssl 1 though with ISC added, if the openssl+ssleay license was a problem then boringssl wouldn’t be the first library to hit this

@lotte @kescher @be @ariadne It's not.
I think GnuTLS existence is effectively because of that incompatibility with OpenSSL's licensing with the GPL.

Also for a real life example of BoringSSL licensing issue: https://wpewebkit.org/about/faq.html#what%E2%80%99s-the-status-regarding-webrtc%3F

@be @lanodan @kescher @lotte

ring is just basically "we took boringssl libcrypto and pretend it's memory safe"

also, the maintainer is a jerk

@be @lanodan @kescher @lotte

while i am sure that it is hard to screw up the memory safety of a block cipher, there are things in ring where you can't just handwave in memory safety like that.

Sign in to participate in the conversation
CatCatNya~

We are CatCatNya~, a left-wing instance by cats, for cats (and more!).