> It isn't just this.  Qt 5.10 introduces new dependency on OpenSSL 1.1
> APIs for improved security, and LibreSSL does not implement those APIs
> at all.

The 1.1 API does not improve security.

If anything, the new API requires to you repeat the same or similar
arguments to many functions, and in many ways the API is much more
fragile.  Also, more memory allocation and free is required, and as a
result quite a few software upgrades to 1.1 API have had memory leaks,
as well as use-after-free and double-free bugs.

A very large patch for converting openssh to 1.1 was provided by folk
who very much know the API, and it had several stupid and quite
dangerous mistakes of that sort.

Don't believe all the promises you hear.

Reply via email to