Announcement

Collapse
No announcement yet.

OpenSSL Forked By OpenBSD Into LibreSSL

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by ua=42 View Post
    Summery of LibreSSL:
    * Pare down the code to just the essential bits.
    ** Git rid of reimplementation of standard calls like malloc, printf, etc, and instead use the system's versions.
    * Use safer, more secure functions. Ex: they are replacing malloc with calloc. Calloc on most systems checks to see if memory is out of bounds automatically.
    * Document and make the code easy to read and understand.
    Then:
    * Audit the code.
    * Port the code in a sane manner to other systems.
    All that is good and stuff, but:
    - how have the code survived in such a manner for all that time? If someone complained have they actually write patches to the code to fix that?
    - if they are going to use the essential parts of the openssl code why not work with the openssl people and start a new branch within the project like openssl 1.1 which could be changed into 1.2 when code stabilizes?

    On the side note IMHO bashing openssl I saw in this very thread and elsewhere just undermines open source community as the whole hence obviously it shows that peer review of the code can actually be done by only handful of people whom obviously do not have time not only to be involved with all the projects out there but the essential once as well

    Comment


    • #32
      I find it also a great idea of the openbsd folks, hope they will never introduce support for proprietary shit like winshit. I salute the openbsd folks on this one. There's a reason why people use the secure openssh, so hope this one will be a good one too.
      Don't like the name either, OpenOpenSSL or something indeed.

      Comment


      • #33
        Originally posted by OneTimeShot View Post
        It's not like OpenBSD has never, ever, ever, had a bug or security problem (and Heart Bleed is "just" information leakage - we're not even talking a remote root exploit here).
        You're of course right that an easy peasy remote root exploit is probably the worst sort of thing overall, but in the context of this particular situation, with OpenSSL, it's of dire severity because the main purpose of the software is to protect information. It causes people to defecate uncontrollably in their spandex. :-)

        Comment


        • #34
          Originally posted by ryszardzonk View Post
          All that is good and stuff, but:
          - how have the code survived in such a manner for all that time? If someone complained have they actually write patches to the code to fix that?
          - if they are going to use the essential parts of the openssl code why not work with the openssl people and start a new branch within the project like openssl 1.1 which could be changed into 1.2 when code stabilizes?

          On the side note IMHO bashing openssl I saw in this very thread and elsewhere just undermines open source community as the whole hence obviously it shows that peer review of the code can actually be done by only handful of people whom obviously do not have time not only to be involved with all the projects out there but the essential once as well
          Indeed, only a handful of people in the entire world can code review cryptographic software like OpenSSL. It is very likely easy to hide theoretical (theory in the mathematics-sense) backdoors in open source since the cryptography community is super secretive (only privileged people have access to academic literature on the subject!).

          Comment


          • #35
            Originally posted by kaprikawn View Post
            I don't know about the testing procedure of OpenSSL, so I can't comment, would testing have picked up this bug?


            Not that complicated to see what went wrong here. Not that hard to test for either. I see this as a failure to maintain proper testing procedure following a code change.

            Comment


            • #36
              Too bad rust isn't stable yet because that would be an ideal choice for rewrite using best practices.
              This library is too important to be unverified.

              Comment


              • #37
                Originally posted by ryszardzonk View Post
                ...
                - if they are going to use the essential parts of the openssl code why not work with the openssl people and start a new branch within the project like openssl 1.1 which could be changed into 1.2 when code stabilizes?
                ...
                Well the OpenBSD devs have criticized not just the code but the development model of OpenSSL. From a perspective like that, it does not make sense to fix the code without addressing the development model that resulted in the code being that way in the first place. Hence, the fork.

                Comment


                • #38
                  "NSA operation ORCHESTRA: Annual Status Report"
                  Poul-Henning Kamp (FreeBSD developer) @ FOSDEM '142014. február 2.License: CC BY


                  Suggested readings (including the articles linked previously in this thread and the links in them)


                  If I read this correctly, the OpenSSL guys are screaming for a better organization, and for money:


                  I'm far from expert, but I think OpenBSD guys (they know their stuff, and they are dedicated to security) forking OpenSSL is good.

                  Comment


                  • #39
                    Originally posted by prodigy_ View Post
                    Yeah, how could they? Instead of helping the clueless to release another broken version of OpenSSL and thus feed more confidential data to script kiddies like you they opted for a fork they can actually supervise and audit. Unspeakable.
                    So why didn't they chip in and help before this happened?

                    If you read Theo's announcement, it feels more like he is trying to use it to gather donations. The reality is, the OpenSSL project wasn't exactly swimming in donations, or assistance before, and if they had the developer resources before, I'm sure they would have had time to clean out the code.

                    As a developer, this actually irks me a bit, because OpenBSD has siezed the project, asked for donations, and basically intentionally tried to make the original developers look like fools (which they aren't, they simply didn't have the resources to do EVERYTHING). Keeping that in mind, its a clear message from Theo that if you develop an Open Source project which becomes popular, there will always be people who will destroy your reputation to gain control of it if anything goes wrong. It's a strong message to developers of the dangers of donating your time to the open source community for free

                    Sorry, but they shouldn't fork this project. They should assist the developers. This was a real A-hole move. If the code really was unfixable, they wouldn't have been able to strip the code to clean it up (and its not like they only have 1 person stripping the code either, they are dedicating a team to the project at the moment).

                    Comment


                    • #40
                      Originally posted by opensource View Post
                      I find it also a great idea of the openbsd folks, hope they will never introduce support for proprietary shit like winshit. I salute the openbsd folks on this one. There's a reason why people use the secure openssh, so hope this one will be a good one too.
                      Don't like the name either, OpenOpenSSL or something indeed.
                      The licence states that forks cannot be named with the word "OpenSSL" included. But OpenTLS or BSDSSL/BSDTLS would've worked. I don't care too much though. I don't see what's the issue with GnuTLS either. OpenBSD doesn't consider copyleft software free software, I think.

                      Comment

                      Working...
                      X