undefined | Better HN

0 pointsXylakant12y ago0 comments

> You say that, but it's not as though this is a fundamentally hard problem. How many servers are running nginx today vs. even a few years ago?

How many years did it take to get there? How many servers are still running apache?

> And, of course, eventually switching from openssl to libressl will become as easy as spending a couple minutes with a package manager.

Eventually, maybe. That's no reason not to audit openssl right now, that people cannot switch - especially the ones that use platforms that the OpenBSD team decided to remove support for.

0 comments

1 comments · 1 top-level

danudey12y ago

The comparison isn't terribly apt; for example, LibreSSL's intention is to be a drop-in replacement for OpenSSL; if nginx were a drop-in replacement for Apache I suspect we would see a lot more people using it than there are now.

As for auditing OpenSSL, the OpenBSD team has found so many problems, misdesigns, misfeatures, idiotic decisions, and bugs, that it seems a shame to repeat that work again. If I had to choose, I'd say give the OpenSSL name to the OpenBSD guys, let them take over the project officially, and let the folks behind the OpenSSL foundation handle things like platform-dependent code, FIPS compliance patches, etc.

j / k navigate · click thread line to collapse