LibreSSL languishes on Linux

Posted Jan 15, 2021 15:48 UTC (Fri) by sandsmark (guest, #62172)
In reply to: LibreSSL languishes on Linux by sandsmark
Parent article: LibreSSL languishes on Linux

Just a concrete example of what I mean: this here (including how the rust-based dependencies are handled) almost looks like a joke in the context of a security related project: https://github.com/mesalock-linux/mesalink/tree/679dac128...

LibreSSL languishes on Linux

Posted Jan 18, 2021 8:23 UTC (Mon) by laarmen (subscriber, #63948) [Link] (2 responses)

Out of curiosity, besides the curl | sh, what do you think is wrong there? I'm not being snarky, just trying to learn :-)

LibreSSL languishes on Linux

Posted Feb 2, 2021 11:08 UTC (Tue) by sandsmark (guest, #62172) [Link] (1 responses)

It was the piping some random URL to a shell script that has been a running joke for a while.

The rest of the code doesn't seem particularly defensively written, compared to something like Botan (which nicely illustrates how using C++ and not C impacts security, all of their issues would have been just as or more likely to happen with mesalink: https://botan.randombit.net/security.html).

And looking at their code, mesalink seems more prone to raw memory issues than Botan: https://github.com/mesalock-linux/mesalink/search?q=unsafe

LibreSSL languishes on Linux

Posted Feb 2, 2021 18:17 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

Most of unsafes in mesalink are there to deal with the external interface that is unsafe because it's a compatibility shim for OpenSSL.