OpenSSL Forked By OpenBSD Into LibreSSL
Phoronix: OpenSSL Forked By OpenBSD Into LibreSSL
Following the fallout from the OpenSSL Heartbleed bug, OpenBSD developers have decided to fork the OpenSSL code-base to create LibreSSL...
Really !?!? cowards !!! instead of helping the project they fork it so they wont be harmed ?? the nerve ...
This seems rather like an overreaction, and somewhat of a vote of no confidence in the governance of OpenSSL which is a worrying precedent. I'm no expert, but from what I've read of the issue, it was a rather trivial mistake. I understand the far-reaching consequences of it, but it seems like it could have happened to anybody.
Having said that, it'd be nice if they could clean up the code. Also, it seems like the type of thing that the BSD camp would be good stewards for, being the security stalwarts that they are.
But I can't help but feel the better course of action would be to work with whomever currently controls OpenSSL to improve checks and balances rather than just fork it. It feels decidedly NIH-esque. It's not like OpenSSL is governed by Sun Microsystems.
1) They use CVS because they like it. I don't know why, but I doubt it really matters.
2) They are removing all OS support so that they can get it down to a lean, core library that they are happy with, after which they will accept patches to port it to new operating systems. OpenSSH started out as being for OpenBSD, and they accepted patches to make it portable, so this approach is in line with that, and seems pretty fair.
3) They are forking it as they don't believe the OpenSSL developers can be trusted to do a good job. Somebody made a page going through the changes they're making to the original OpenSSL code: http://opensslrampage.org/. It's well worth a read to see some of the stuff that was going on.
I'm really not liking this move. OpenSSL has just undergone a major blow, and so they just cut and run instead of sticking around to help fix it? Instead, they decide to just prune out a bunch of deprecated features and reduce platform support. I'm hoping that at least the licenses stay compatible so that actual fixes can be shared between projects... or that eventually OpenBSD comes back into the fold.
Originally Posted by ba7a7chy
Didn't you read the article? The roadmap has a return to full platform portability as an endgoal.
Originally Posted by Veerappan
The trouble is that whilst looking through they've found lots of other unpleasant stuff. I agree that standardising on an implementation has huge benefits, but if that's done at the cost of security/reliability of such a fundamental library (and a cryptographic one at that) then going back into the fold could actually be harmful.
Originally Posted by Veerappan
The reduction in platform support is so that they can get it right on their platform (that they know exceptionally well) before accepting patches to port it to other operating systems, their exact words: "our primary focus is good software that we trust to run ourselves".
Take a look at http://opensslrampage.org/ to see more details of the kind of thing they were fixing.
Can the editors/author of Phoronix show this as most likely the most valiant fork & coding effort within the last ~10 years?
OpenSSL is basically UNFIXABLE, this is what must be done to FIX OPENSSL ITSELF; since openssl is TOO BROKEN.
SO this project (LibreSSL) will hopefully become the new library all projects will link into their code as the crypto & security code in place of OpenSSL after they sort things out, lock crazy things down and get coding standards up, and can add PROPER multi-platform support unlike the craziness it was before their http://opensslrampage.org/ started which is almost a commit log of how the progress was and what had been done to get to the point they are now.
They aren't trying to just fork & run like most of the buffoons above are saying, but they're doing their best to help save the internet as a whole by fixing such a crucial piece of infrastructure that is now coming from the devs who created openssh.