If there is something concrete to learn from an issue, I think it can make a good lobsters post. But tire fire of the week bugs do not. There’s entirely too much noise with too little signal. I don’t want to read the whole thing just to decide that some people are right and some people are wrong.
Node is the wrong layer to change this. The Node developers are not security experts (nor should they be), which is why they use a library to take care of it. Additionally, almost everything Node does goes through an abstraction layer (e.g. libuv); OpenSSL is the abstraction layer in this case.
It would be much better to petition OpenSSL to switch. If the OpenSSL developers are incompetent, then petition Node to switch to a different library (I use LibreSSL personally, but I would still hesitate before switching a huge project like Node to it, for now). Or, get individual Node applications to switch, in cases where it makes sense and the authors can understand the need.
Cynically, I feel like a lot (not all) of the push for this is just people repeating things they’ve read.
If there is something concrete to learn from an issue, I think it can make a good lobsters post. But tire fire of the week bugs do not. There’s entirely too much noise with too little signal. I don’t want to read the whole thing just to decide that some people are right and some people are wrong.
I learned that I have another excuse not to use node.js for anything. ;P
Node is the wrong layer to change this. The Node developers are not security experts (nor should they be), which is why they use a library to take care of it. Additionally, almost everything Node does goes through an abstraction layer (e.g. libuv); OpenSSL is the abstraction layer in this case.
It would be much better to petition OpenSSL to switch. If the OpenSSL developers are incompetent, then petition Node to switch to a different library (I use LibreSSL personally, but I would still hesitate before switching a huge project like Node to it, for now). Or, get individual Node applications to switch, in cases where it makes sense and the authors can understand the need.
Cynically, I feel like a lot (not all) of the push for this is just people repeating things they’ve read.