If PyPy releases include a copy of OpenSSL (or LibreSSL) then we need to be in the business of issuing new releases whenever upstream has a security release, we can't be shipping people OpenSSLs with known security issues.
Of LibreSSL and OpenSSL, I'd choose to ship OpenSSL -- I've found LibreSSL fairly frustrating to work with and OpenSSL upstream is considerably cleaned up in past years. Alex On Wed, Jan 3, 2018 at 12:06 PM, Nathaniel Smith <n...@pobox.com> wrote: > On Jan 3, 2018 02:17, "Matt Billenstein" <m...@vazor.com> wrote: > > So, I think updating LibreSSL branches every 6-12 months and using the > latest > point release for a new pypy release is probably a good plan. > > > BTW you should consult your local cryptographic engineer – I guess that's > probably Alex Gaynor? – before deciding between LibreSSL and OpenSSL. I > don't have any first hand experience here myself, but my second hand > impression is that LibreSSL does not have a good reputation. > > -n > > _______________________________________________ > pypy-dev mailing list > pypy-dev@python.org > https://mail.python.org/mailman/listinfo/pypy-dev > > -- "I disapprove of what you say, but I will defend to the death your right to say it." -- Evelyn Beatrice Hall (summarizing Voltaire) "The people's good is the highest law." -- Cicero GPG Key fingerprint: D1B3 ADC0 E023 8CA6
_______________________________________________ pypy-dev mailing list pypy-dev@python.org https://mail.python.org/mailman/listinfo/pypy-dev
