these bugs induced by openssl 3 are so exhausting

@ariadne i love having an application crash because checks notes the CPU supports vector instructions

@lotte @kescher not exhaustively, but hey, they are bullying distros into taking it by revoking maintenance of openssl 1.1 :)

@lanodan they are, but apparently they think they can just do this shit now that they're the de-facto standard crypto library, especially for TLS @lotte @ariadne

@kescher @lanodan @lotte @ariadne rustls is a thing... of course I know projects can't just switch to it easily, but there are alternatives to OpenSSL

Follow

@lanodan @kescher @lotte @ariadne TIL ring's build.rs compiles some C forked from BoringSSL

@be @ariadne @kescher @lotte

~/Sources/git/git.gentoo.org/repo/proj/guru $ git grep -l '\bring-' | grep .ebuild | xargs grep LICENSE | grep GPL
dev-util/fnm/fnm-1.31.0-r2.ebuild:LICENSE="Apache-2.0 BSD GPL-3 ISC MIT MPL-2.0"
games-engines/luxtorpeda/luxtorpeda-25.0.0.ebuild:LICENSE="GPL-2 BSD Apache-2.0 BSD-2 ISC MIT MPL-2.0 Unlicense"
games-rpg/airshipper/airshipper-0.7.0-r1.ebuild:LICENSE="Apache-2.0 BSD BSL-1.1 GPL-3 ISC MIT MPL-2.0 OFL-1.1 ZLIB"
net-misc/peertube-viewer-rs/peertube-viewer-rs-1.8.4-r1.ebuild:LICENSE="AGPL-3"

@lanodan @kescher @be @lotte

it should be noted that the OpenSSL 3 relicense is legally dubious

@lanodan @kescher @be @ariadne it uses the same license as openssl 1 though with ISC added, if the openssl+ssleay license was a problem then boringssl wouldn’t be the first library to hit this

@lotte @kescher @be @ariadne It's not.
I think GnuTLS existence is effectively because of that incompatibility with OpenSSL's licensing with the GPL.

Also for a real life example of BoringSSL licensing issue: https://wpewebkit.org/about/faq.html#what%E2%80%99s-the-status-regarding-webrtc%3F

@be @lanodan @kescher @lotte

ring is just basically "we took boringssl libcrypto and pretend it's memory safe"

also, the maintainer is a jerk

@be @lanodan @kescher @lotte

while i am sure that it is hard to screw up the memory safety of a block cipher, there are things in ring where you can't just handwave in memory safety like that.

Sign in to participate in the conversation
FLOSS.social

For people who care about, support, or build Free, Libre, and Open Source Software (FLOSS).