Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 25 Apr 2013 01:21:00 -0400
From: Rich Felker <>
Subject: Re: High-priority library replacements?

On Thu, Apr 25, 2013 at 07:05:12AM +0200, Daniel Cegiełka wrote:
> 2013/4/25 Rich Felker <>:
> For a list of core libraries I would add basic, but high-priority
> tools: ssh, pam (passwd, login, su).
> ssh - dropbear?

I think dropbear fully covers the needs of most non-"enterprise" usage
and maybe that too. It could however use some hardening. I don't think
it's terribly insecure, but I'd like to see a robust privilege model
that would make it safe even in the event of bugs that would otherwise
result in a compromise.

> pam - openpam?

I would say pam is less critical. I've had my pamlite in limbo for a
long time but haven't gotten around to making it do anything... Still
a good one for the list though.

> These key software we can also support (static linking etc.).
> btw. SSL - instead libcrypto clone maybe it's better to use
> crypto-algorithms from linux kernel?

I'm not sure what the advantage would be; the disadvantage is
certainly being Linux-specific and dependent on the host system
configuration (last I checked, crypto in the kernel is optional; maybe
this has changed..?) to work. There's also the issue that it's not
fail-proof; it requires allocating resources. IMO supporting hardware
crypto devices is not really relevant for most users of SSL. Yes, a
high volume web server might need to be tuned for performance, but it
doesn't matter for most network client applications like wget, chat
clients, mail clients, etc.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.