

Only a few days old, OpenSSL fork LibreSSL is declared “unsafe for Linux” - louthy
http://arstechnica.com/security/2014/07/only-a-few-days-old-openssl-fork-libressl-is-declared-unsafe-for-linux/

======
cratermoon
I looked at the code for the Linux compatibility in generating entropy and it
very clearly states that the fallback is insecure. The
FAIL_INSTEAD_OF_TRYING_FALLBACK #ifdef seems to be the recommended way by the
OpenBSD team -- only using the fallback entropy generator is problematic, and
that's already true.

As the article states, the LibreSSL team is very adamant that the OS is
responsible for providing secure and usable sources of entropy.

On the flip side, the LibreSSL team _did_ release a patch to address the
specific issue raised. It doesn't fix the problem that Linux doesn't provide
the kind of entropy source the LibreSSL team says should be on the OS.

