1. 4

  2. 13

    If there is something concrete to learn from an issue, I think it can make a good lobsters post. But tire fire of the week bugs do not. There’s entirely too much noise with too little signal. I don’t want to read the whole thing just to decide that some people are right and some people are wrong.

    1. 4

      I learned that I have another excuse not to use node.js for anything. ;P

    2. 2

      Node is the wrong layer to change this. The Node developers are not security experts (nor should they be), which is why they use a library to take care of it. Additionally, almost everything Node does goes through an abstraction layer (e.g. libuv); OpenSSL is the abstraction layer in this case.

      It would be much better to petition OpenSSL to switch. If the OpenSSL developers are incompetent, then petition Node to switch to a different library (I use LibreSSL personally, but I would still hesitate before switching a huge project like Node to it, for now). Or, get individual Node applications to switch, in cases where it makes sense and the authors can understand the need.

      Cynically, I feel like a lot (not all) of the push for this is just people repeating things they’ve read.