I think the main question regards CentOS support, with further questions about Debian/Ubuntu support. If we have to ship PolarSSL packages with our releases to support major distros, is that too much of a burden? -JM ----- Original Message ----- > One of my tasks for 3.6 is to update/improve the SSL code. Long ago, I > had decided that part of the next major update to SSL should include > switching from OpenSSL to PolarSSL. Why? Two reasons. > > (1) The OpenSSL API is awful, and poorly documented to boot. We have to > go through some rather unpleasant contortions in the socket module to > accommodate it. AFAICT, this would be less of a problem with PolarSSL. > > (2) OpenSSL is less secure. Since I had this thought, I've been paying > attention to which SSL implementations respond first to each exploit. > For BEAST and CRIME, PolarSSL was first. OpenSSL was consistently last, > with GnuTLS and NSS in between. Heartbleed was an *entirely > OpenSSL-specific* bug that never affected PolarSSL in the first place. > > The "BSD style" OpenSSL license has also caused some concern before. > While those concerns have been minor, PolarSSL is straight GPLv2+ so > even those should go away. The one negative I've found is that, while > PolarSSL is in Fedora 20 and EPEL, it doesn't seem to have made it into > RHEL (including RHEL7) yet. > > So, before I expend a ton of effort replacing this code, does anyone > else think it shouldn't be done and that the enhancements should be made > to the current OpenSSL code instead? > _______________________________________________ > Gluster-devel mailing list > Gluster-devel@xxxxxxxxxxx > http://supercolony.gluster.org/mailman/listinfo/gluster-devel > _______________________________________________ Gluster-devel mailing list Gluster-devel@xxxxxxxxxxx http://supercolony.gluster.org/mailman/listinfo/gluster-devel
