[GitHub] [tomcat-native] ChristopherSchultz commented on pull request #13: native: Update for libressl 3.5

[GitBox <gi...@apache.org>]

ChristopherSchultz commented on PR #13:
URL: https://github.com/apache/tomcat-native/pull/13#issuecomment-1194301634

   > My main reasons are that libressl has a better track record with security
   
   Really? Mostly what they did was discard old garbage from OpenSSL that may have had bugs lurking in it. Anything which demonstrably improves security should have also been picked-up by OpenSSL.
   
   > and a significantly better build system.
   
   This is irrelevant, as downstream uses don't worry about build complexity. Build complexity may be a source of other issues, but it's not a good justification for wanting to use one library versus another.
   
   That being said, **I am a big proponent of LibreSSL support** if for no other reason than than to avoid a monoculture. Unfortunately, OpenSSL vs LibreSSL is a bit like comparing modern MS Edge, Chrome, and Opera and saying they are different browsers when they are significantly identical under the covers.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org