New releases of the following packages are available:

 * skalibs-

 Bugfix release. It is necessary to upgrade to this release for the new
version of s6-networking to work.


 * s6-networking-

 This release of s6-networking comes with 4 optional new binaries:
s6-tlsclient, s6-tlsserver, s6-tlsc, s6-tlsd. Those binaries implement
secure connections via the TLS protocol. s6-tlsclient and s6-tlsserver
act like s6-tcpclient and s6-tcpserver respectively; s6-tlsc and s6-tlsd
are the "tlsify" blocks that put themselves between the network
and the cleartext-speaking application.

 Building those binaries requires an additional dependency to a SSL
library, called a "backend". After installing the chosen backend, you
can tell s6-networking to use it by giving the "--enable-ssl=$backend"
option to configure.

 There are two supported values for $backend:

 * "libressl" . This requires installing LibreSSL 2.4.4 or later.
This is the default, safe choice.

 * "bearssl". This requires installing BearSSL 0.1 or later. BearSSL is
a new SSL library being developed by Thomas Pornin, a renowned
cryptologist. Choosing BearSSL is still experimental (it will only be
considered production-ready by its author when it reaches version 1.0),
but it's working for me successfully. The reason to choose BearSSL over
LibreSSL is that BearSSL's design is incredibly high-quality. It is much
more maintainable than the OpenSSL/LibreSSL code base; it requires a
ridiculously small amount of RAM to run; static x86_64 executables for
s6-tlsc and s6-tlsd are, when linked against BearSSL, 10% of the size
they are when using LibreSSL. (Yes, that's a 90% size reduction.)

 Given that LibreSSL is ubiquitous and BearSSL already looks amazing and
will likely be production-ready next year, there are no plans to add
further backends.


 Bug-reports *especially* welcome. I spent a long time ironing out small
issues in s6-tlsc and s6-tlsd, but if any problems remain, it is
particularly important to handle them quickly.


Reply via email to