On 26/09/2024 23:24, Martin Steigerwald wrote:
> On the other hand even the OpenSSL related report from a LibreSSL
> developer did not really take into account overworked developers and
> maintainers. While I laughed on some of the very dire programming mistakes
> elaborated in that report… I meanwhile see both sides of the story and
> wonder how many developers work on cups-browsed. However it appears to me
> the report by Simone Margaritelli can make for a good laugh as well as it
> also seems to be formulated in a somewhat sarcastically toned humorous
> way.

If OpenSSL took a more conservative approach like BoringSSL or LibreSSL then the
maintainer may not have been overworked. If you think the problems of OpenSSL
have been fixed since then after the Linux foundation throwing money at the
wrong project. You are wrong. They keep getting more CVEs than OpenSSL and
causing more in users applications. The Gentoo article on the subject was and
likely still is very misleading.

The OpenBSD devs aren't going to spare the time to write from scratch but it
would be simpler still if they did. Even better would be writing it in a
language like Ada or Rust. Perhaps once TLS1.2 is deprecated and only supporting
the simpler TLS1.3 and PQC is required.