On 25 Apr 2014, at 09:16, Matthias Gamsjager <mgamsja...@gmail.com> wrote:
> Isn't the latest news that Google&co and the linux foundation setup a > construction that these vital opensource projects get the proper > funding. Meaning more man power and hopefully less bugs Yes, there's effort to improve OpenSSL from there, there's the LibreSSL project from OpenBSD and there's a from-scratch reimplementation of SSL in the Cambridge Computer Lab that's intended for easy verification[1], and Apple's CommonCrypto (which, in light of goto fail, might not be the best choice), so there are going to be a lot of choices in time for 11. There are very few users of OpenSSL in the base system (7, I think), so rewriting them to use less error-prone APIs would be feasible - a 100% OpenSSL-compatible API is not necessarily a requirement for a base-system SSL library. so@ and secteam@ get to make the final call on what we should be shipping, because they're the ones that will have to suffer from the fallout the next time there's a vulnerability. David [1] It's written in OCaml, but can have C APIs and can probably be compiled into C. C that is machine generated from a typesafe language is a lot less likely to contain memory management bugs than C that is generated by a human... _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
