Announcement

Collapse
No announcement yet.

Google Is Maintaining A "BoringSSL" Fork Of OpenSSL

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Google Is Maintaining A "BoringSSL" Fork Of OpenSSL

    Phoronix: Google Is Maintaining A "BoringSSL" Fork Of OpenSSL

    A Google engineer has went public on Google's fork of OpenSSL that is tentatively dubbed BoringSSL...

    http://www.phoronix.com/vr.php?view=MTcyNjM

  • #2
    What's wrong with LibreSSL? Do we really need another Wayland/Mir scenario?

    I sincerely hope that "BoringSSL" only becomes a Google-specific library that is used on Google's servers and mobile phones and nowhere else. I was hoping LibreSSL would be enough but no! We need more forks, one fork for every multi-million dollar company. That is to ensure the fragmentation of the open soruce community!

    Comment


    • #3
      LibreSSL was also unnecessary.

      Comment


      • #4
        libressl is a long time from being ready and will be bsd-only until it is ported. Also libressl is api compatible with openssl, boringssl doesn't maintain compatibility.

        Comment


        • #5
          Originally posted by board View Post
          What's wrong with LibreSSL? Do we really need another Wayland/Mir scenario?
          Read his blog. He stated that they have been rebasing OpenSSL with their 70+ patches for a long time (before LibreSSL). They reached a point where such scenario is feasible no more for them and decided to fork and share their things with you.
          They don't force you to use it, but they can't use OpenSSL with their projects.

          Comment


          • #6
            Why does everybody forget about NSS...

            Comment


            • #7
              Originally posted by magika View Post
              They don't force you to use it, but they can't use OpenSSL with their projects.
              And since Google has alot users linked to their web services it pretty much means they're forcing other projects to use it as well and then at some point they will use only google tech.

              Comment


              • #8
                Originally posted by Filiprino View Post
                LibreSSL was also unnecessary.
                Not true, but keep dreaming.

                Comment


                • #9
                  Originally posted by vadix View Post
                  Why does everybody forget about NSS...
                  Besides the fact it has a completely different API and so little software has support for it? The license too.

                  Comment


                  • #10
                    Originally posted by hajj_3 View Post
                    libressl is a long time from being ready and will be bsd-only until it is ported. Also libressl is api compatible with openssl, boringssl doesn't maintain compatibility.
                    The word "ready" does not seem to mean what you think it does. It is being used now. The base code is intentionally OpenBSD-only to keep it very lean and clean. The last part doesn't make sense with regard to the question being answered. BoringSSL would be an issue if it was used elsewhere.

                    Comment


                    • #11
                      Originally posted by sunweb View Post
                      And since Google has alot users linked to their web services it pretty much means they're forcing other projects to use it as well and then at some point they will use only google tech.
                      They can't force other projects to use BoringSSL. It's an implementation of a standardized protocol.

                      Comment


                      • #12
                        Originally posted by sunweb View Post
                        And since Google has alot users linked to their web services it pretty much means they're forcing other projects to use it as well and then at some point they will use only google tech.
                        What?! Google's web service are accessed with standard HTTPS interface. Their server happens to run BoringSSL to handle SSL/TLS, whereas you could be accessing their services using a client running openSSL, LibreSSL, or even completely different implementations like GnuTLS or Mozilla NSS. As long as it speaks SSL/TLS any library is valid and nobody is forcing anything on no-one.

                        Originally posted by brad0 View Post
                        The word "ready" does not seem to mean what you think it does. It is being used now. The base code is intentionally OpenBSD-only to keep it very lean and clean.
                        And beside, they try to be as POSIX-compatible as possible (whereas original openSSL tended to reinvent and reimplement their own wheel. several time over).
                        As Theo mentions, as long as you re-implement a few basic security functions, correctly, LibreSSL port is done.
                        Granted, this is not-trivial (these are special secure version of functionnality. Great care must be taken to insure that they work without leaking info). But good developpers with security knowledge should be able to do it.

                        ------

                        Over-all, specially given the announcement on both sides (from LibreSSL and BoringSSL) we might see very fruitful collaboration between the too.
                        So this is not heading the same direction as Wayland vs. Mir. In fact, in the long run, it might end up converging like the various LLVM arm 64bits back-end (AArch64 and Apple's converging together).

                        At least, this sound as a possible source of corporate push and ressource (the things that Libressl was aking for, and for some reasons The Linux Foundation didn't consider when speaking about adding ressources to openSSL's development).

                        Comment

                        Working...
                        X