On 12/06/14 11:43 PM, Christian Pedaschus wrote:
On Tue, 10 Jun 2014 12:14:46 -0600
Theo de Raadt <dera...@cvs.openbsd.org> wrote:
I was reading stuff in misc@ about OpenSSL broken things. I see
people from OpenBSD started LibreSSL project and they are forking
OpenSSL and remove the bad code. This is past, but I see more and
more lesions are discovered. It may be a stupid question, but
having all these, isn't more efficient to start LibreSSL from zero?
Impossible.
The OpenSSL API was built up through accretion over almost 2 decades.
It is fat, bloated, repetitive, and tricky. In general, application
authors have chosen to use the first API's they spot which provide the
functionality they need. As a result, almost all of the bloated API
is potentially used in the greater ecosystem.
It is quite simply impossible to reinvent this particular wheel. Any
effort to reinvent it would be highly incompatible. Features and
warts are too closely coupled.
wouldn't it be a feature?
less warts, less bugs, less features, less compatible, but secure?
What good is having a brand new from scratch API when almost nothing
uses it? There are thousands of apps / libraries using OpenSSL. Are YOU
going to go to each and every project and write SSL code for each
respective project to add support for this from scratch API?
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
