On Fri, Jul 18, 2014 at 10:29:27AM +0200, Jan Engelhardt wrote:
can you please introduce the package on factory ml?
LibreSSL is a fork of OpenSSL which has been stripped of old, unused code and code for defunct/historic OSes. The plan is increased auditability and security. (You probably already heard in the news.)
There is a conference video on LibreSSL at http://www.youtube.com/watch?v=GnBbhXBDmwU for interested parties. From that presentation, I also gather:
- openssl implements its own meomry allocator which defeats valgrind's memory leack checker because that allocator never frees anything - new features added to libressl: ChaCha stream cipher, poly1305 (MAC)
Packaging-wise, I find the style of libressl(-portable) to be a win over openssl. It is autotooled and needs just a quarter of the instructions found in openssl.spec.
I don't see any motivation why we need yet another ssl implementation
There are certainly factors that would make a package unfit for inclusion, like unacceptable license, or overly trivial software, obvious trash software, or certain unmaintained software. LibreSSL does not fail at any of these basic checks.
Other than that, I remember it such that openSUSE became open to all submissions and dropped the requirement that the package had to be useful _for the distribution_ (rather than the user).
It is a crypto library which was hastily cleaned up, as evidenced by the discussion about randomness handling. I would suggest to first let it mature some months before we start using it. We can include the package to Factory, but I strongly recommend not to switch programs to use it at this time. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org