Announcement

Collapse
No announcement yet.

OpenSSL Forked By OpenBSD Into LibreSSL

Collapse
X
Collapse
 
  • Page of 7
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 4 5 7 template Next
  • #11
    Originally posted by ba7a7chy View Post
    Really !?!? cowards !!! instead of helping the project they fork it so they wont be harmed ?? the nerve ...
    Yeah, how could they? Instead of helping the clueless to release another broken version of OpenSSL and thus feed more confidential data to script kiddies like you they opted for a fork they can actually supervise and audit. Unspeakable.

    Comment

    • #12
      Originally posted by kaprikawn View Post
      This seems rather like an overreaction, and somewhat of a vote of no confidence in the governance of OpenSSL which is a worrying precedent. I'm no expert, but from what I've read of the issue, it was a rather trivial mistake. I understand the far-reaching consequences of it, but it seems like it could have happened to anybody.
      Pardon me for saying: But shouldn't there be a well established group of baseline/regression tests that should be run against any code change? Because this is a REALLY stupid bug that should have been found within minutes of it being introduced.

      If you're telling me you can make changes without running any established test procedures, then you have bigger problems to worry about.

      Comment

      • #13
        Originally posted by gamerk2 View Post
        Pardon me for saying: But shouldn't there be a well established group of baseline/regression tests that should be run against any code change? Because this is a REALLY stupid bug that should have been found within minutes of it being introduced.

        If you're telling me you can make changes without running any established test procedures, then you have bigger problems to worry about.
        The biggeer issue at hand is OpenSSL replacing system calls (such as malloc) with their own custom versions for one reason or another. No idea if that is something the OpenSSL developers were open to finally fixing.. but if they had said "No, we're keeping our custom syscalls." Then yeah, I would expect an immediate fork.
        All opinions are my own not those of my employer if you know who they are.

        Comment

        • #14
          Ugh. More reason to prefer GnuTLS until all this is over.

          Originally posted by Veerappan View Post
          I'm hoping that at least the licenses stay compatible so that actual fixes can be shared between projects...
          Well, OpenSSL licensing is crazy: it's under Apache 1.0 and the 4-clause BSD license, which requires the words "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit" to be present in any redistributions. This was the reason why GnuTLS was created in the first place. Since OpenBSD is not affiliated with OpenSSL, I doubt they would keep the license.

          Comment

          • #15
            Originally posted by HeavensRevenge View Post
            Can the editors/author of Phoronix show this as most likely the most valiant fork & coding effort within the last ~10 years?

            OpenSSL is basically UNFIXABLE, this is what must be done to FIX OPENSSL ITSELF; since openssl is TOO BROKEN.

            SO this project (LibreSSL) will hopefully become the new library all projects will link into their code as the crypto & security code in place of OpenSSL after they sort things out, lock crazy things down and get coding standards up, and can add PROPER multi-platform support unlike the craziness it was before their http://opensslrampage.org/ started which is almost a commit log of how the progress was and what had been done to get to the point they are now.

            They aren't trying to just fork & run like most of the buffoons above are saying, but they're doing their best to help save the internet as a whole by fixing such a crucial piece of infrastructure that is now coming from the devs who created openssh.
            Since you have such a strong opinion on ths matter, please described in detail WHY it is unfixable? What is actually wrong? Examples? Show the code and evidence please? We're all very interested in how you've formulated this opinion.

            Comment

            • #16
              Originally posted by GreatEmerald View Post
              Well, OpenSSL licensing is crazy: it's under Apache 1.0 and the 4-clause BSD license, which requires the words "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit" to be present in any redistributions. This was the reason why GnuTLS was created in the first place. Since OpenBSD is not affiliated with OpenSSL, I doubt they would keep the license.
              They cannot change the license of existing code.
              I had a similar interest in the license they plan to use and quickly looked at OpenSSH for comparison:
              The original license is kept in existing files but new files use the 2-clause BSD license.

              Comment

              • #17
                Originally posted by GreatEmerald View Post
                Ugh. More reason to prefer GnuTLS until all this is over.



                Well, OpenSSL licensing is crazy: it's under Apache 1.0 and the 4-clause BSD license, which requires the words "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit" to be present in any redistributions. This was the reason why GnuTLS was created in the first place. Since OpenBSD is not affiliated with OpenSSL, I doubt they would keep the license.
                They have to unless they rewrite everything.

                Comment

                • #18
                  Originally posted by GreatEmerald View Post
                  Ugh. More reason to prefer GnuTLS until all this is over.
                  It's not like GnuTLS had a critical bug discovered two months ago... ( http://www.gnutls.org/security.html )
                  GnuTLS does not have a reputation of following high coding standards, so I'm not sure I would advise using GnuTLS over OpenSSL.

                  Comment

                  • #19
                    Originally posted by gamerk2 View Post
                    Pardon me for saying: But shouldn't there be a well established group of baseline/regression tests that should be run against any code change? Because this is a REALLY stupid bug that should have been found within minutes of it being introduced.

                    If you're telling me you can make changes without running any established test procedures, then you have bigger problems to worry about.
                    Again, I reiterate, I'm no expert. But I've read a few articles on the subject, written by people far more knowledgeable than myself, and their tone was not 'OMG, the OpenSSL devs are idiots, what an epic fail, off with their heads!'. Their tone was rather more along the lines of that it was a trivial mistake, the type of which is probably in a lot of closed source software, but we can't see those because we don't have the source. And while the effects of this particular error are admittedly far-reaching, it's just one of those things.

                    I don't know about the testing procedure of OpenSSL, so I can't comment, would testing have picked up this bug?

                    Comment

                    • #20
                      Originally posted by erendorn View Post
                      It's not like GnuTLS had a critical bug discovered two months ago... ( http://www.gnutls.org/security.html )
                      Not so bad compared to OpenSSL bug.

                      GnuTLS does not have a reputation of following high coding standards, so I'm not sure I would advise using GnuTLS over OpenSSL.
                      It's useless link, because it's very old.

                      Comment

                      Previous 1 2 3 4 5 7 template Next
                      Working...
                      X