Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

There are lots of alternatives for SSL libraries, and there are also indeed increasing alternatives to Linux. But in reality, Linux tends to get patches for compliance purposes, or forks for meeting various obligations.


These smaller projects are probably even less likely to be compliant.

If anything, it will create a situation where e.g. OpenSSL is audited and compliant, but other newer solutions aren't so you can't use them. If "has been audited and approved" would be a good assurance the project is of good quality then that might be okay, but overall I find it's a rather weak signal.


Smaller projects? There are tons of very mature TLS libraries.


"Smaller" does not imply "not mature", or "not used". It just means ... "smaller".

For example Go has a boringssl build because boringssl is FIPS certified whereas the default Go crypto stuff isn't, and this matters for some people.


I'm not sure I understand what smaller is supposed to mean here. Do you mean less used? Or less code?


Usually a combination of less usage and general interest, fewer developers and development time, less or no funding, etc.

Details depend on the project, of course. The lesser used WolfSSL is also FIPS verified; it's clearly not impossible to do these things, it just puts additional pressure on what are often already constrained resources. I mean, the amount of general resources Linux has available compared to, say, OpenBSD is just huge.


I'm not sure that this is really proven out to be a generally true concept. Boringssl is a good example of a very well funded project. There are FIPS modes in the Linux kernel for various things like RNG.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: