[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Will Packaging BoringSSL Bring Any Trouble to the Security Team?

Just wanted to tell that I am quite happy not to have boringSSL in Debian - main. I think it is depeerable there apart from the security risk of adopting the SSL package from a company which was largely funded by intelligence services and the Pentagon. I would rather like to see OpenBSD`s libressl as an option for Debian. I believe the OpenBSD programmers have done a pretty good job at it! 

Elmar

Am 2016-05-13 um 08:44 schrieb Moritz Mühlenhoff:

殷啟聰 <seamlikok@gmail.com> schrieb:

Dear Debian Security Team,


Our contact address is team@security.debian.org, not debian-security...


The "android-tools" packaging team
<https://qa.debian.org/developer.php?login=android-tools-devel%40lists.alioth.debian.org>
are introducing BoringSSL, a fork of OpenSSL by Google. The latest
Android OS and its SDK no longer use OpenSSL and they use some APIs
only provided by BoringSSL, hence we are bringing BoringSSL to Debian.
You can see the ITP at <https://bugs.debian.org/823933>.


No, that's not acceptable. You can try to provide that additional APIs
on top of OpenSSL, but we're not going to support an entire OpenSSL
fork just for Google's NIH syndrome.

Cheers,
        Moritz
Reply to: