18 comments

[ 2.4 ms ] story [ 57.9 ms ] thread
The interaction between OpenSSH portable and LibreSSL portable is especially amusing.
It sounds like there should be something like a libopenbsdcompat containing arc4random et al., which both these packages would then import+depend on.
There's libbsd for Linux, although I can't comment on the quality of its implementation.
libbsd and gnulib are pretty much just functions copy-pasted out of their original locations into conveniently organized repositories. There's not much to speak of concerning implementation quality.
Now that the glibc leadership changes have taken place, hopefully we can see functions like arc4random, explicit_bzero, timingsafe_bcmp, reallocarray and the other stuff actually appear in glibc where they belong, so no glue will be required.

They are pretty damn useful when you're trying to do secure programming.

(Of course, arc4random should use ChaCha20.)

I think there recently was a proposal for reallocarray in glibc. Not sure what happened to it though.
Did anyone else get a blue bar in the middle of the text while trying to read fr mobile?
(comment deleted)
Hello, I'm the owner of the blog, I have changed the blue bar now to be only in the header, should improve things and no longer get into the content.

I need to look into this in detail at some point, but for now it should be readable.

Another issue:

  The page at 'https://blog.hboeck.de/archives/851-LibreSSL-on-Gentoo.html' 
  was loaded over HTTPS, but displayed insecure content from 
  'http://vg07.met.vgwort.de/na/4f1f65b6b6e4419c97ea81e7d27cc0a0': 
  this content should also be loaded over HTTPS.
You'll see this often on sites that use CDNs to server images. Adding SSL to a CDN at levels used by smaller sites easily doubles the cost.
In that case that's a nasty tracker image by a german "writers collecting society"...
Only tangential to the article, but only now (via the link to the apache patch) did I realise it was libReSSL. Makes the name so much more interesting!