Announcement

Collapse
No announcement yet.

30-Day Status Update On The LibreSSL OpenSSL-Fork

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 30-Day Status Update On The LibreSSL OpenSSL-Fork

    Phoronix: 30-Day Status Update On The LibreSSL OpenSSL-Fork

    Bob Beck of the OpenBSD project has provided a status update on the first 30 days of the LibreSSL project that's a fork of OpenSSL following the notorious heartbleed bug...

    http://www.phoronix.com/vr.php?view=MTY5MzA

  • #2
    Re

    1 thing I don't like is that they intentionally removed the support for other platforms(You can see that even from the first commits)...
    And they call this half-million diffs? Most of the diff is removed support for other platforms...

    Comment


    • #3
      I hope they make a better job than debian did: http://web.archive.org/web/200911051...ebian-openssl/

      Comment


      • #4
        Originally posted by mark_ View Post
        I hope they make a better job than debian did: http://web.archive.org/web/200911051...ebian-openssl/
        If OpenSSL's PRNG hadn't used areas of uninitialised memory as part of its seeding, Debian wouldn't have accidentally introduced that bug,

        If OpenSSL's PRNG didn't fall back to really bad entropy sources as a last resort, the bug wouldn't have been hidden for so long and fixed sooner.

        LibreSSL gets rid of OpenSSL's PRNG entirely and uses something much simpler - the OS kernel's PRNG to seed, and arc4random to stretch the amount of output - fairly well understood and has been used already by OpenSSH, libevent, Bionic libc etc.

        Comment


        • #5
          Originally posted by Alliancemd View Post
          1 thing I don't like is that they intentionally removed the support for other platforms(You can see that even from the first commits)...
          And they call this half-million diffs? Most of the diff is removed support for other platforms...
          LibreSSL will be portable. They need a small codebase in order to fix the beast, and the OpenSSL portability approach was really wrong.

          Comment


          • #6
            Originally posted by Alliancemd View Post
            1 thing I don't like is that they intentionally removed the support for other platforms(You can see that even from the first commits)...
            And they call this half-million diffs? Most of the diff is removed support for other platforms...
            I would rather they spent time better maintaining the core code and fix the most commonly used platforms than expend efforts on things like 16 bit Windows, DOS etc

            Comment


            • #7
              hardware AES

              so did LibreSSL make nicer and easier support of the hardware acceleration on AES?

              Comment


              • #8
                Originally posted by Alliancemd View Post
                1 thing I don't like is that they intentionally removed the support for other platforms(You can see that even from the first commits)...
                And they call this half-million diffs? Most of the diff is removed support for other platforms...
                It was removed temporarily. They already have a plan in place for how to support other platforms but their first goal is "Make it work on OpenBSD. Make it work right." THEN they are gonna worry about other platforms.

                Comment


                • #9
                  Frankly, I think the Linux Foundation should pull the funding from OpenSSL and give it to these guys.

                  Comment


                  • #10
                    The Linux Fundation won't give money to a project that only run on OpenBSD. Until they officialy get the penguin support back, they might consider if they compare to how the openssl is doing compared to libressl.

                    Comment


                    • #11
                      The FIPS Consultancy?

                      Comment


                      • #12
                        More crap talk from BSD trolls like Bob Beck

                        From what I can see, OpenSSL's security problems has been made to look worst then it is by the OpenBSD project most likely to distract OpenBSD's dwindling number of users from the true danger which is the horrible state of OpenBSD itself (the same way China brainwashes it's people into hating Japan to distract them from their real enemy, China itself). If you look compare code produced by *BSD to code by OpenSSL, you find that OpenSSL's code isn't really that bad compared to *BSD. The “horrible state” of OpenSSL is nothing but propaganda produced by a cluster fk of trolls who is desperate in saving their own ass from the moral and monetary bankruptcy they created themselves.

                        The "perfect storm" happened for OpenSSL with developers being concerned about adding features and not fixing/maintaining, fixes not being merged upstream, bug rot for years, and horrible code.
                        This just shows the horrible attitude of the OpenBSD cluster fk. Their bigot behaviour at new features and useful features. As a result, their code base is old and obsolete.

                        There's also hypocrisy here as OpenBSD devs are known to ignore bugs reports (even security ones). They have on a number of occasions dismissed remote security holes as ordinary functionality bugs. Consider that when you have OpenBSD is a router.

                        LibreSSL is still after maintaining API/ABI compatibility with OpenSSL so it can be a drop-in replacement.
                        Yes, because OpenBSD devs are not skilled enough to work with and modify the API/BI of OpenSSL. They shouldn't even be allowed to work on OpenSSL.

                        OpenBSD developers have found numerous faults with OpenSSL and the decisions made by its developers.
                        the same way how security researchers have found the entire OpenBSD design to be inherently flawed.

                        They have already fixed many bugs and have about a half-million line unidiff from OpenSSL 1.0.1g from where they forked.
                        One good advice for the OpenBSD cluster fk would be to first fix the 30 year bugs in their OS left there by their idols at Berkeley then go troll about other people's software. Also, is not hard deleting code. It's harder adding the right code which OpenSSL devs have done better then OpenBSD.

                        New ciphers for Brainpool, ChaCha, poly1305, and ANSSI FRP256v1 have been added to LibreSSL.
                        They are already on OpenSSL.

                        LibreSSL accuses the OpenSSL Foundation as being a front for the FIPS consultancy.
                        Funny, because it's the OpenBSD project that is a puppet for the FBI and NSA with their wilful inclusion of security backdoors.

                        Long term goals of LibreSSL are a better API, reduced code-base, splitting libcrypto from libssl, and splitting non-cryptography tasks from libcrypto.
                        Great, it means LibreSSL, with have less functionality and therefore more useless then OpenSSL. OpenBSD should know that other projects have large code base for a good reason (They need to do a lot of useful things unlike your crappy OpenBSD, OpenNTPD, OpenSMTPD, OpenCRAP etc.).

                        The Linux Foundation has not committed support to LibreSSL although they are now funding OpenSSL via their core infrastructure initiative.
                        Good, because the Linux foundation is smart enough to know that it's more productive support a proved project and to foster unity and then support a bunch of trolls creating a (most likely) useless rival and thus contribute to community fragmentation.

                        Oh and by the way, I see that Bob Beck kept talking about simpler code means more community. What an irony, OpenBSD has no community around it, it drives people off. Attitudes on the mailing list destroys community.

                        Comment


                        • #13
                          Originally posted by jake_lesser View Post
                          ...
                          [citation needed].

                          Comment


                          • #14
                            Originally posted by jake_lesser View Post
                            OpenSSL's security problems has been made to look worst then it is by the OpenBSD project
                            Yeah, who gives a shit if your users account information can be stolen. Fuck the users!

                            Comment


                            • #15
                              Come on people, join date "May 2014". Level: not even trying .

                              Comment

                              Working...
                              X