John Wilkinson wrote: > That's a useful tip, perhaps, but if the underlying calls are > embedded in a third-party libraries, such as handled by cURL etc, > the end user has no choice as to when they're being initialized.
A third-party library that monkeys with process resources (such as initialization of OpenSSL) outside of the control of the application is fundamentally broken. > Of course since multiple third-party libraries could be involved > (which have no knowledge of each other), it's only possible to > fix this issue in OpenSSL itself. They have no knowledge of each other, but the application has knowledge of all of them. If the third-party libraries provide no way to coordinate the initialization of process resources, they are broken. If they do but the application fails to use them, it is broken. This is another example of a library trying to hide things from the application that cannot be hidden from the application. Sensible libraries may do this by default, but provide ways for applications to control this where it is absolutely needed. How can OpenSSL fix the case where a third-party library decides that it no longer wants to use an algorithm and removes it while another third-party library is using those algorithms? DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
