I'm saddened and disappointed by the current trend of jettisoning support for Libressl.
I'm puzzled by the failure to learn from the Heartbleed fiasco, which happened just seven years ago. I'm naturally paranoid, but this is not always a flaw. I'm not the only one who suspects new Openssl "features" are designed to break compatibility with Libressl and return to market dominance. I think PHK's pointed criticism still applies:
View: https://www.youtube.com/watch?v=fwcl17Q0bpk
The Openssl Software Foundation is still a for-profit corporation offering commercial support and FIPS compliance. I also find it interesting that the vulnerability comparison section of the Wikipedia page referenced in this Python library has now disappeared. I think it probably looked something like this:
Even if you think that my tinfoil hat is too tight and has cut off circulation to my brain, maybe you'll agree that monocultures are inherently fragile:
Switching back to OpenSSL
The Void Linux team is switching back to OpenSSL on March 5th, 2021 (2021-03-05).
voidlinux.org
PEP 644 – Require OpenSSL 1.1.1 or newer | peps.python.org
Python Enhancement Proposals (PEPs)
www.python.org
I'm puzzled by the failure to learn from the Heartbleed fiasco, which happened just seven years ago. I'm naturally paranoid, but this is not always a flaw. I'm not the only one who suspects new Openssl "features" are designed to break compatibility with Libressl and return to market dominance. I think PHK's pointed criticism still applies:
The Openssl Software Foundation is still a for-profit corporation offering commercial support and FIPS compliance. I also find it interesting that the vulnerability comparison section of the Wikipedia page referenced in this Python library has now disappeared. I think it probably looked something like this:
LibreSSL - Glitchdata
wiki.glitchdata.com
Even if you think that my tinfoil hat is too tight and has cut off circulation to my brain, maybe you'll agree that monocultures are inherently fragile:
Re: [gentoo-dev] [RFC] Discontinuing LibreSSL support?
www.mail-archive.com