Re: How about LibreSSL?
Reply #3 –
To make Otter attractive to security-concerned folks, I think, a lean and well-documented cryptography library should be used. OpenSSL was apparently an early implementation that got patched again and again until it became unmaintainable, underdocumented and hard to use correctly. I would suggest to look at <a href="https://polarssl.org/">PolarSSL[/url]. It seems to care about documentation, which is essential for developers, lest such a critical component is used the wrong way. Unlike LibreSSL, it is already a solid library, that was <a href="https://polarssl.org/tech-updates/blog/providing-assurance-and-trust-in-polarssl">not affected[/url] by Heartbleed back then and receives constant maintenance. The project recently became <a href="https://polarssl.org/tech-updates/blog/polarssl-part-of-arm">part of ARM[/url].
I think, using a properly documented crypto library is crucial to feel confident about Otter. I would even go as far as mandating special developer's documentation for that part of Otter. That would allow more eyes to look at it in an informed way. Not sure what Qt requires cryto-wise, though. But this is definitely an area were the code should be written so clear, that its obvious correctness can be seen. A lot of software seems to do it wrong by presenting itself as so complicated, that the eye merely cannot find any obvious incorrectness. This should be avoided.