At this point, it's probably the right call. OpenSSL 2021 is nothing like OpenSSL 2014 (jesus i'm old), and is probably a better bet at this point than LibreSSL just by dint of the amount of energy that's allocated to it.
FWIW, I've been in the game a long time. I understand what rolling release means. In this case it means, sorry if you bought anything in the last 2 years. And really sorry if you care about security.
If you "care about security" and for some reason refuse to update your system beyond what the live image is, you should instead make your own rootfs.
No one who knows what they're doing would boot off of someone else's live image, sans updates, and pretend to be secure, even if the live image was only days old.
Not to mention that the old live images worked fine on x86_64 hardware that was new to begin with, since x86_64 is extremely backwards-compatible.
But again, the most recent live image is literally days old.
> A live image that is two years old is open to every security bug in the last two years. Good luck refuting that logic.
Update. The. Live. Image. Takes four seconds. If you care so much, it literally takes zero seconds not to use a live image, and instead bootstrap your system with xbps on another system. You aren't supposed to stay with the live image. There's no "logic" to your post.
Yeah, I retract my statement. It was my error there, and I apologize.
Not going into too much detail, but was following a lot of the drama going on for the past two years and found it odd there wasn't a release in all that time.
That said, I shouldn't get worked up or argue about things that aren't my business. I apologize.
HN won't let me comment reply anymore. So I'll just say, good luck with your awful distro. Hope nobody loses anything important as a result of your hubris.
Perhaps someone can shed light on this for me, a couple years ago I had an issue where libcurl with libressl stopped working in the new year with connections to a bunch of web servers, but switching to libcurl with openssl fixed my issue, though I never found out why.
(Only speaking for Windows because I don't know anything about OSX.)
>Do Windows and MacOS have their own libraries separate from OpenSSL?
Yes, CAPI/CNG (general crypto) + SChannel (TLS).
>Do applications statically link OpenSSL?
If they want to. Linux-first programs often have a hard dependency on openssl rather than use pluggable crypto, so they include openssl in their installation package. Openssl can be compiled just fine for Windows after all.
IMHO, LibreSSL was doomed to "fail" by the mere fact that it was not picked up by Linux distributions to replace OpenSSL, the same way that x.org had replaced XFree86. Linux's influence's simply too big. LibreSSL will survive in the BSDs, and OpenSSH. That is, until OpenSSH's forked for whatever reason and the fork becomes the standard ssh on Linux distributions. I fear that's inevitable (cf. zfs).
Yes. at one point, it was the only code I could find which would reissue a certificate, using only the certificate itself as a CSR rather than making the private key holder reissue a request.
27 comments
[ 19.6 ms ] story [ 1257 ms ] threadNot knocking the distro, just not understanding the attention.
https://voidlinux.org/download/
No one who knows what they're doing would boot off of someone else's live image, sans updates, and pretend to be secure, even if the live image was only days old.
Not to mention that the old live images worked fine on x86_64 hardware that was new to begin with, since x86_64 is extremely backwards-compatible.
But again, the most recent live image is literally days old.
If Void had a release recently, great for them. Are you prepared for me to rip apart the security stance of xbps? Lemme know.
Update. The. Live. Image. Takes four seconds. If you care so much, it literally takes zero seconds not to use a live image, and instead bootstrap your system with xbps on another system. You aren't supposed to stay with the live image. There's no "logic" to your post.
Try "if Void had a release recently, egg on my face because I asserted up thread they 'haven't had a release in 2 years.'"
You're making wild assertions and changing the subject when called out. What are you trying to accomplish here?
Not going into too much detail, but was following a lot of the drama going on for the past two years and found it odd there wasn't a release in all that time.
That said, I shouldn't get worked up or argue about things that aren't my business. I apologize.
Do Windows and MacOS have their own libraries separate from OpenSSL? Do applications statically link OpenSSL? What library does Python use on Windows?
>Do Windows and MacOS have their own libraries separate from OpenSSL?
Yes, CAPI/CNG (general crypto) + SChannel (TLS).
>Do applications statically link OpenSSL?
If they want to. Linux-first programs often have a hard dependency on openssl rather than use pluggable crypto, so they include openssl in their installation package. Openssl can be compiled just fine for Windows after all.
>What library does Python use on Windows?
Python's ssl module uses openssl on all OSes.
I was using the Windows ones already in 2000, for IIS ISAPI certificate handling.
You only use something like OpenSSL directly when porting Linux/BSD software.
Gentoo as well and Alpine back in 2019.
[0] https://www.cryptlib.com/