1. 4
    1. 13

      If there is something concrete to learn from an issue, I think it can make a good lobsters post. But tire fire of the week bugs do not. There’s entirely too much noise with too little signal. I don’t want to read the whole thing just to decide that some people are right and some people are wrong.

      1. 4

        I learned that I have another excuse not to use node.js for anything. ;P

      2. 2

        Node is the wrong layer to change this. The Node developers are not security experts (nor should they be), which is why they use a library to take care of it. Additionally, almost everything Node does goes through an abstraction layer (e.g. libuv); OpenSSL is the abstraction layer in this case.

        It would be much better to petition OpenSSL to switch. If the OpenSSL developers are incompetent, then petition Node to switch to a different library (I use LibreSSL personally, but I would still hesitate before switching a huge project like Node to it, for now). Or, get individual Node applications to switch, in cases where it makes sense and the authors can understand the need.

        Cynically, I feel like a lot (not all) of the push for this is just people repeating things they’ve read.

      🇬🇧 The UK geoblock is lifted, hopefully permanently.