On 25 Apr 2014, at 09:16, Matthias Gamsjager <mgamsja...@gmail.com> wrote:

> Isn't the latest news that Google&co and the linux foundation setup a
> construction that these vital opensource projects get the proper
> funding. Meaning more man power and hopefully less bugs

Yes, there's effort to improve OpenSSL from there, there's the LibreSSL project 
from OpenBSD and there's a from-scratch reimplementation of SSL in the 
Cambridge Computer Lab that's intended for easy verification[1], and Apple's 
CommonCrypto (which, in light of goto fail, might not be the best choice), so 
there are going to be a lot of choices in time for 11.  

There are very few users of OpenSSL in the base system (7, I think), so 
rewriting them to use less error-prone APIs would be feasible - a 100% 
OpenSSL-compatible API is not necessarily a requirement for a base-system SSL 

so@ and secteam@ get to make the final call on what we should be shipping, 
because they're the ones that will have to suffer from the fallout the next 
time there's a vulnerability.


[1] It's written in OCaml, but can have C APIs and can probably be compiled 
into C.  C that is machine generated from a typesafe language is a lot less 
likely to contain memory management bugs than C that is generated by a human...
freebsd-current@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"

Reply via email to