New comment by bugcrazy on void-packages repository https://github.com/void-linux/void-packages/issues/20935#issuecomment-671769721 Comment: > > This link shows that LibreSSL has more development than https://cpp.libhunt.com/compare-openssl-vs-libressl > > Untrue, look at commit histories. > > > In this **old** link, it compares OpenSSL vs LibreSSL, showing how security is applied in LibreSSL code. > > https://resources.infosecinstitute.com/libressl-the-secure-openssl-alternative/ > > OpenSSL has a design problem, it is susceptible to serious flaws > > (emphasis mine); yes, it is old, and that's the problem. OpenSSL's codebase quality and security auditing has increased greatly in the last 5 years. I would have agreed with you some time ago. Nowdays, LibreSSL gets much less auditing, has much fewer developers working on LibreSSL-portable, and has far less architecture support. > > > quantity of developers in OpenSSL does not mean quality in the code > > I agree, but it does mean that something has to lose attention. Often, this is performance, or architecture support, and even build support/code quality (especially in libressl-portable), as @q66 can attest to. > > > OpenSSL has a lot of legacy OS discontinued > > Care to elaborate? LibreSSL has an independent audit, which can be seen on this link, with a report by a member of Void Linux. https://blog.doyensec.com/2020/04/08/libressl-fuzzer.html This academic thesis "Analysis of software vunerabilities through historical data" shows comparative graphs of CVEs. http://lup.lub.lu.se/student-papers/record/8923711/file/8923713.pdf OpenSSlL has a bad design, which favors serious vulnerabilities, this has not been fixed, as this is part of the structural code of OpenSSL, over the years, it has maintained serious vulnerabilities that affect linking software. https://news.ycombinator.com/item?id=22935221 https://github.com/openssl/openssl/issues/4729 https://github.com/openssl/openssl/issues/4733 https://hownot2code.com/2016/06/03/evaluate-the-string-literal-length-automatically/#more-172 https://www.viva64.com/en/b/0183/ In these links you can compare the number of CVEs between OpneSSL and LibreSSL. https://www.cvedetails.com/vulnerability-list/vendor_id-217/Openssl.html https://www.cvedetails.com/vulnerability-list/vendor_id-97/product_id-30688/Openbsd-Libressl.html