Compared to OpenSSL 3 this transition has been very smooth. Only dropping of "Engines" was a problem at all, and in Fedora most of those dependencies have been changed.
How is OpenSSl these days? I vaguely remember the big ruckus a while back, was it Heartbleed? where everyone to their horror realized it was maybe 1 or 2 people trying to maintain OpenSSL, and the OpenBSD people then throwing manpower at it to clear up a lot of old outstanding bugs. It seems like it is on firmer/more organized footing these days?
Good to see const more prevalent. Too often I have to add that in to libraries for embedded. Possibly I believe in const by default but it is what it is at this point
> libcrypto no longer cleans up globally allocated data via atexit().
> OPENSSL_cleanup() now runs in a global destructor, or not at all
by default.
Oh oh. Heartbleed 2.0 incoming.
I really do hope that they broke APIs specifically throwing errors or race conditions so that devs are forced to cleanup. Otherwise this is going to be a nightmare to find out in terms of maintenance and audits.
I mean it's a new major release so it's a valid design change. But I hope they're thinking of providing and migration/update guide or a checklist to reduce usage errata.
(I'm heavily in favor of deprecating the fixed version method names)
Manual opt out processes are becoming a major friction point. It's interesting how these tools only improve their defaults after a community backlash. Trust is so hard to build but so easy to burn in this space
18 comments
[ 2.6 ms ] story [ 39.5 ms ] threadOn the one hand, looks like decent cleanup. (IIRC, engines in particular will not be missed).
On the other hand, breaking compatibility is always a tradeoff, and I still remember 3.x being... not universally loved.
From what I remember hearing, the move from 2 to 3 was hard.
According to this one should not be using v3 at all..
> OPENSSL_cleanup() now runs in a global destructor, or not at all by default.
Oh oh. Heartbleed 2.0 incoming.
I really do hope that they broke APIs specifically throwing errors or race conditions so that devs are forced to cleanup. Otherwise this is going to be a nightmare to find out in terms of maintenance and audits.
I mean it's a new major release so it's a valid design change. But I hope they're thinking of providing and migration/update guide or a checklist to reduce usage errata.
(I'm heavily in favor of deprecating the fixed version method names)