Our great sponsors
|almost 2 years ago||2 days ago|
|MIT License||Apache License 2.0|
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
We haven't tracked posts mentioning cmac yet.
Tracking mentions began in Dec 2020.
2 projects | reddit.com/r/linuxmemes | 16 Mar 2023
I understand that it looks that way, especially since I just noticed you're a C++ developer who's been trying to learn it recently. But really, when on one hand you have a critical CVE caused by one wrong byte of C source code and on the other hand you have net zero memory-related CVEs in ~1.5 million lines of Rust code compared to 1 CVE per 1k SLOC in their C++ codebase, there's no denial that Rust simply does have the safety advantage for that kind of low level development. Heck, as I always say, memory safety is not a new concept at all, garbage-collected languages have had it for several decades now. But garbage-collected languages weren't fit for projects like the Linux kernel or drivers (at least I assume that is the case), which is why such a thing is exciting and good news in the first place.
Instagram Is Disabling Its NFT Features
4 projects | news.ycombinator.com | 14 Mar 2023
Here's OpenSSL calling cryptography crypto since 1998: https://github.com/openssl/openssl/commits/master?after=9313...
And libgcrypt in 2000: https://github.com/gpg/libgcrypt/commit/bf2fc9201cfa96cd70ef...
Totally normal and not cringy at all.
The Dedicated Maintainers Behind Lesser-Known Open Source Projects
7 projects | reddit.com/r/opensource | 1 Mar 2023
However, there are many open source projects that are widely used but not well-known, including cURL, ImageMagick, MyCLI, Homebrew, Apache Log4j, and OpenSSL. This article will take a closer look at these unsung heroes of the open source world. I do not want to give them a business model or financial advice in this article. This largely depends on the author's personal experience and values. I just want to raise more awareness about these open source projects.
I’m a professional hacker
3 projects | reddit.com/r/ProgrammerHumor | 21 Feb 2023
OpenSSL Security Advisory [7th February 2023]
3 projects | news.ycombinator.com | 7 Feb 2023
sha256sum written in Python faster than GNU version in C?
3 projects | reddit.com/r/learnpython | 28 Jan 2023
It turns out that OpenSSL has an optimized assembly implementation of SHA256 for armv8. It looks like coreutils only has a C implementation.
Show HN: I store my critical secrets and document, and communicate privately
18 projects | news.ycombinator.com | 21 Dec 2022
GPG for sure, be very careful with "vim -x" as that's the only implementation of this (and I've found security issues in it before, it's frankly there for legacy compat).
Annoyingly this uses AES-GCM (which is good!) but OpenSSL's command line tool can't cope with it: https://github.com/openssl/openssl/issues/12220
It would be nice to have a command line tool to extract these files too, then you know the implementation is correct. (Blowing my own trumpet but my very old project paste.sh does this.)
5 projects | news.ycombinator.com | 2 Dec 2022
Horrible locking. 95% CPU spent in spinlocks. We're still doing measurements that we'll report with all data shortly. Anyway many of them were already collected by the project; there are so many that they created a meta-issue to link to them: https://github.com/openssl/openssl/issues/17627#issuecomment...
3.1-dev is slightly less worse but still far behind 1.1.1. They made it too dynamic, and certain symbols that were constants or macroes have become functions running over lists under a lock. We noticed the worst degradation in client mode where the performance was divided by 200 for 48 threads, making it literally unusable.
“Purchasing an arm”
2 projects | reddit.com/r/Firearms | 27 Nov 2022
Why CVE-2022-3602 was not detected by fuzz testing
2 projects | news.ycombinator.com | 21 Nov 2022
It is trivial to enforce that new functions have new unit tests and fuzz tests. You are the reviewer of https://github.com/openssl/openssl/pull/9654 and you just say "Please add unit tests and fuzz tests for foo and bar" and you don't approve it.
I don't know what the deal is with their testing culture but in year 27 of the project they demonstrably haven't learned this lesson. It's nice that they added integration tests (testing given encoded certs) but as the article points out that was insufficient.
What are some alternatives?
GnuTLS - GnuTLS
Crypto++ - free C++ class library of cryptographic schemes
mbedTLS - An open source, portable, easy to use, readable and flexible TLS library, and reference implementation of the PSA Cryptography API.
libsodium - A modern, portable, easy to use crypto library.
LibreSSL - LibreSSL Portable itself. This includes the build scaffold and compatibility layer that builds portable LibreSSL from the OpenBSD source code. Pull requests or patches sent to [email protected] are welcome.
cfssl - CFSSL: Cloudflare's PKI and TLS toolkit
Botan - Cryptography Toolkit
LibTomCrypt - LibTomCrypt is a fairly comprehensive, modular and portable cryptographic toolkit that provides developers with a vast array of well known published block ciphers, one-way hash functions, chaining modes, pseudo-random number generators, public key cryptography and a plethora of other routines.
Bcrypt - Modern(-ish) password hashing for your software and your servers
easy-rsa - easy-rsa - Simple shell based CA utility
s2n - An implementation of the TLS/SSL protocols
GnuPG - Mirror of git://git.gnupg.org/gnupg.git — master branch contains no changes from upstream.