Announcement

Collapse
No announcement yet.

OpenSSL Forked By OpenBSD Into LibreSSL

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • OpenSSL Forked By OpenBSD Into LibreSSL

    Phoronix: OpenSSL Forked By OpenBSD Into LibreSSL

    Following the fallout from the OpenSSL Heartbleed bug, OpenBSD developers have decided to fork the OpenSSL code-base to create LibreSSL...

    http://www.phoronix.com/vr.php?view=MTY3MDA

  • #2
    Why CVS!?

    Comment


    • #3
      They removed Windows support.
      http://www.zdnet.com/openbsd-forks-p...sl-7000028613/

      Comment


      • #4
        Cowards !

        Really !?!? cowards !!! instead of helping the project they fork it so they wont be harmed ?? the nerve ...

        Comment


        • #5
          This seems rather like an overreaction, and somewhat of a vote of no confidence in the governance of OpenSSL which is a worrying precedent. I'm no expert, but from what I've read of the issue, it was a rather trivial mistake. I understand the far-reaching consequences of it, but it seems like it could have happened to anybody.

          Having said that, it'd be nice if they could clean up the code. Also, it seems like the type of thing that the BSD camp would be good stewards for, being the security stalwarts that they are.

          But I can't help but feel the better course of action would be to work with whomever currently controls OpenSSL to improve checks and balances rather than just fork it. It feels decidedly NIH-esque. It's not like OpenSSL is governed by Sun Microsystems.

          Comment


          • #6
            1) They use CVS because they like it. I don't know why, but I doubt it really matters.

            2) They are removing all OS support so that they can get it down to a lean, core library that they are happy with, after which they will accept patches to port it to new operating systems. OpenSSH started out as being for OpenBSD, and they accepted patches to make it portable, so this approach is in line with that, and seems pretty fair.

            3) They are forking it as they don't believe the OpenSSL developers can be trusted to do a good job. Somebody made a page going through the changes they're making to the original OpenSSL code: http://opensslrampage.org/. It's well worth a read to see some of the stuff that was going on.

            Comment


            • #7
              Originally posted by ba7a7chy View Post
              Really !?!? cowards !!! instead of helping the project they fork it so they wont be harmed ?? the nerve ...
              I'm really not liking this move. OpenSSL has just undergone a major blow, and so they just cut and run instead of sticking around to help fix it? Instead, they decide to just prune out a bunch of deprecated features and reduce platform support. I'm hoping that at least the licenses stay compatible so that actual fixes can be shared between projects... or that eventually OpenBSD comes back into the fold.

              Comment


              • #8
                Originally posted by Veerappan View Post
                I'm really not liking this move. OpenSSL has just undergone a major blow, and so they just cut and run instead of sticking around to help fix it? Instead, they decide to just prune out a bunch of deprecated features and reduce platform support. I'm hoping that at least the licenses stay compatible so that actual fixes can be shared between projects... or that eventually OpenBSD comes back into the fold.
                Didn't you read the article? The roadmap has a return to full platform portability as an endgoal.

                Comment


                • #9
                  Originally posted by Veerappan View Post
                  I'm really not liking this move. OpenSSL has just undergone a major blow, and so they just cut and run instead of sticking around to help fix it? Instead, they decide to just prune out a bunch of deprecated features and reduce platform support. I'm hoping that at least the licenses stay compatible so that actual fixes can be shared between projects... or that eventually OpenBSD comes back into the fold.
                  The trouble is that whilst looking through they've found lots of other unpleasant stuff. I agree that standardising on an implementation has huge benefits, but if that's done at the cost of security/reliability of such a fundamental library (and a cryptographic one at that) then going back into the fold could actually be harmful.

                  The reduction in platform support is so that they can get it right on their platform (that they know exceptionally well) before accepting patches to port it to other operating systems, their exact words: "our primary focus is good software that we trust to run ourselves".

                  Take a look at http://opensslrampage.org/ to see more details of the kind of thing they were fixing.

                  Comment


                  • #10
                    Can the editors/author of Phoronix show this as most likely the most valiant fork & coding effort within the last ~10 years?

                    OpenSSL is basically UNFIXABLE, this is what must be done to FIX OPENSSL ITSELF; since openssl is TOO BROKEN.

                    SO this project (LibreSSL) will hopefully become the new library all projects will link into their code as the crypto & security code in place of OpenSSL after they sort things out, lock crazy things down and get coding standards up, and can add PROPER multi-platform support unlike the craziness it was before their http://opensslrampage.org/ started which is almost a commit log of how the progress was and what had been done to get to the point they are now.

                    They aren't trying to just fork & run like most of the buffoons above are saying, but they're doing their best to help save the internet as a whole by fixing such a crucial piece of infrastructure that is now coming from the devs who created openssh.

                    Comment


                    • #11
                      Originally posted by ba7a7chy View Post
                      Really !?!? cowards !!! instead of helping the project they fork it so they wont be harmed ?? the nerve ...
                      Yeah, how could they? Instead of helping the clueless to release another broken version of OpenSSL and thus feed more confidential data to script kiddies like you they opted for a fork they can actually supervise and audit. Unspeakable.

                      Comment


                      • #12
                        Originally posted by kaprikawn View Post
                        This seems rather like an overreaction, and somewhat of a vote of no confidence in the governance of OpenSSL which is a worrying precedent. I'm no expert, but from what I've read of the issue, it was a rather trivial mistake. I understand the far-reaching consequences of it, but it seems like it could have happened to anybody.
                        Pardon me for saying: But shouldn't there be a well established group of baseline/regression tests that should be run against any code change? Because this is a REALLY stupid bug that should have been found within minutes of it being introduced.

                        If you're telling me you can make changes without running any established test procedures, then you have bigger problems to worry about.

                        Comment


                        • #13
                          Originally posted by gamerk2 View Post
                          Pardon me for saying: But shouldn't there be a well established group of baseline/regression tests that should be run against any code change? Because this is a REALLY stupid bug that should have been found within minutes of it being introduced.

                          If you're telling me you can make changes without running any established test procedures, then you have bigger problems to worry about.
                          The biggeer issue at hand is OpenSSL replacing system calls (such as malloc) with their own custom versions for one reason or another. No idea if that is something the OpenSSL developers were open to finally fixing.. but if they had said "No, we're keeping our custom syscalls." Then yeah, I would expect an immediate fork.

                          Comment


                          • #14
                            Ugh. More reason to prefer GnuTLS until all this is over.

                            Originally posted by Veerappan View Post
                            I'm hoping that at least the licenses stay compatible so that actual fixes can be shared between projects...
                            Well, OpenSSL licensing is crazy: it's under Apache 1.0 and the 4-clause BSD license, which requires the words "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit" to be present in any redistributions. This was the reason why GnuTLS was created in the first place. Since OpenBSD is not affiliated with OpenSSL, I doubt they would keep the license.

                            Comment


                            • #15
                              Originally posted by HeavensRevenge View Post
                              Can the editors/author of Phoronix show this as most likely the most valiant fork & coding effort within the last ~10 years?

                              OpenSSL is basically UNFIXABLE, this is what must be done to FIX OPENSSL ITSELF; since openssl is TOO BROKEN.

                              SO this project (LibreSSL) will hopefully become the new library all projects will link into their code as the crypto & security code in place of OpenSSL after they sort things out, lock crazy things down and get coding standards up, and can add PROPER multi-platform support unlike the craziness it was before their http://opensslrampage.org/ started which is almost a commit log of how the progress was and what had been done to get to the point they are now.

                              They aren't trying to just fork & run like most of the buffoons above are saying, but they're doing their best to help save the internet as a whole by fixing such a crucial piece of infrastructure that is now coming from the devs who created openssh.
                              Since you have such a strong opinion on ths matter, please described in detail WHY it is unfixable? What is actually wrong? Examples? Show the code and evidence please? We're all very interested in how you've formulated this opinion.

                              Comment

                              Working...
                              X