Page 1 of 3 123 LastLast
Results 1 to 10 of 65

Thread: OpenSSL Forked By OpenBSD Into LibreSSL

Hybrid View

  1. #1
    Join Date
    Jan 2007
    Posts
    15,636

    Default OpenSSL Forked By OpenBSD Into LibreSSL

    Phoronix: OpenSSL Forked By OpenBSD Into LibreSSL

    Following the fallout from the OpenSSL Heartbleed bug, OpenBSD developers have decided to fork the OpenSSL code-base to create LibreSSL...

    http://www.phoronix.com/vr.php?view=MTY3MDA

  2. #2
    Join Date
    Feb 2013
    Posts
    89

    Default

    Why CVS!?

  3. #3
    Join Date
    May 2013
    Posts
    56

  4. #4
    Join Date
    Feb 2013
    Posts
    8

    Default Cowards !

    Really !?!? cowards !!! instead of helping the project they fork it so they wont be harmed ?? the nerve ...

  5. #5
    Join Date
    Jul 2010
    Posts
    449

    Default

    1) They use CVS because they like it. I don't know why, but I doubt it really matters.

    2) They are removing all OS support so that they can get it down to a lean, core library that they are happy with, after which they will accept patches to port it to new operating systems. OpenSSH started out as being for OpenBSD, and they accepted patches to make it portable, so this approach is in line with that, and seems pretty fair.

    3) They are forking it as they don't believe the OpenSSL developers can be trusted to do a good job. Somebody made a page going through the changes they're making to the original OpenSSL code: http://opensslrampage.org/. It's well worth a read to see some of the stuff that was going on.

  6. #6
    Join Date
    Nov 2008
    Location
    Madison, WI, USA
    Posts
    884

    Default

    Quote Originally Posted by ba7a7chy View Post
    Really !?!? cowards !!! instead of helping the project they fork it so they wont be harmed ?? the nerve ...
    I'm really not liking this move. OpenSSL has just undergone a major blow, and so they just cut and run instead of sticking around to help fix it? Instead, they decide to just prune out a bunch of deprecated features and reduce platform support. I'm hoping that at least the licenses stay compatible so that actual fixes can be shared between projects... or that eventually OpenBSD comes back into the fold.

  7. #7
    Join Date
    Jun 2011
    Location
    Scotland
    Posts
    117

    Default

    Quote Originally Posted by Veerappan View Post
    I'm really not liking this move. OpenSSL has just undergone a major blow, and so they just cut and run instead of sticking around to help fix it? Instead, they decide to just prune out a bunch of deprecated features and reduce platform support. I'm hoping that at least the licenses stay compatible so that actual fixes can be shared between projects... or that eventually OpenBSD comes back into the fold.
    Didn't you read the article? The roadmap has a return to full platform portability as an endgoal.

  8. #8
    Join Date
    Jul 2010
    Posts
    449

    Default

    Quote Originally Posted by Veerappan View Post
    I'm really not liking this move. OpenSSL has just undergone a major blow, and so they just cut and run instead of sticking around to help fix it? Instead, they decide to just prune out a bunch of deprecated features and reduce platform support. I'm hoping that at least the licenses stay compatible so that actual fixes can be shared between projects... or that eventually OpenBSD comes back into the fold.
    The trouble is that whilst looking through they've found lots of other unpleasant stuff. I agree that standardising on an implementation has huge benefits, but if that's done at the cost of security/reliability of such a fundamental library (and a cryptographic one at that) then going back into the fold could actually be harmful.

    The reduction in platform support is so that they can get it right on their platform (that they know exceptionally well) before accepting patches to port it to other operating systems, their exact words: "our primary focus is good software that we trust to run ourselves".

    Take a look at http://opensslrampage.org/ to see more details of the kind of thing they were fixing.

  9. #9
    Join Date
    Sep 2008
    Location
    Vilnius, Lithuania
    Posts
    2,665

    Default

    Ugh. More reason to prefer GnuTLS until all this is over.

    Quote Originally Posted by Veerappan View Post
    I'm hoping that at least the licenses stay compatible so that actual fixes can be shared between projects...
    Well, OpenSSL licensing is crazy: it's under Apache 1.0 and the 4-clause BSD license, which requires the words "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit" to be present in any redistributions. This was the reason why GnuTLS was created in the first place. Since OpenBSD is not affiliated with OpenSSL, I doubt they would keep the license.

  10. #10
    Join Date
    Mar 2013
    Posts
    291

    Default

    Quote Originally Posted by ba7a7chy View Post
    Really !?!? cowards !!! instead of helping the project they fork it so they wont be harmed ?? the nerve ...
    Yeah, how could they? Instead of helping the clueless to release another broken version of OpenSSL and thus feed more confidential data to script kiddies like you they opted for a fork they can actually supervise and audit. Unspeakable.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •