Hi. On Sat, Nov 03, 2018 at 03:37:06PM +0100, Harald Dunkel wrote: > On 11/1/18 4:16 PM, Reco wrote: > > > > It's rather a short release cycle and a lack of feature parity with > > openssl. > > I don't see a short release cycle as a bad feature. Its a sign of > active and agile development.
And in Debian stable that also means that it's close to impossible to backport security fixes to chosen version (because it's "too old"). Updating such fundamental library can (and probably *will*) lead to API/ABI breakage. While tolerable at sid/testing, such things are frowned upon at stable. > Openssl has a bad reputation for introducing security problems, > partly due to its complex and "dangerous code", which was the > major reason for the fork. > https://en.wikipedia.org/wiki/LibreSSL#History As long as it's used - they will search for vulnerabilities in there. And they will find them. PHP has even worse reputation in this regard, for example, yet you still see people who are using PHP. IMO one should be worried of cryptographic library that does not mentioned at Full-Disclosure/oss-security now and then. Reco
