Originally posted by ba7a7chy
View Post
Announcement
Collapse
No announcement yet.
OpenSSL Forked By OpenBSD Into LibreSSL
Collapse
X
-
Originally posted by kaprikawn View PostThis seems rather like an overreaction, and somewhat of a vote of no confidence in the governance of OpenSSL which is a worrying precedent. I'm no expert, but from what I've read of the issue, it was a rather trivial mistake. I understand the far-reaching consequences of it, but it seems like it could have happened to anybody.
If you're telling me you can make changes without running any established test procedures, then you have bigger problems to worry about.
Comment
-
Originally posted by gamerk2 View PostPardon me for saying: But shouldn't there be a well established group of baseline/regression tests that should be run against any code change? Because this is a REALLY stupid bug that should have been found within minutes of it being introduced.
If you're telling me you can make changes without running any established test procedures, then you have bigger problems to worry about.All opinions are my own not those of my employer if you know who they are.
Comment
-
Ugh. More reason to prefer GnuTLS until all this is over.
Originally posted by Veerappan View PostI'm hoping that at least the licenses stay compatible so that actual fixes can be shared between projects...
Comment
-
Originally posted by HeavensRevenge View PostCan the editors/author of Phoronix show this as most likely the most valiant fork & coding effort within the last ~10 years?
OpenSSL is basically UNFIXABLE, this is what must be done to FIX OPENSSL ITSELF; since openssl is TOO BROKEN.
SO this project (LibreSSL) will hopefully become the new library all projects will link into their code as the crypto & security code in place of OpenSSL after they sort things out, lock crazy things down and get coding standards up, and can add PROPER multi-platform support unlike the craziness it was before their http://opensslrampage.org/ started which is almost a commit log of how the progress was and what had been done to get to the point they are now.
They aren't trying to just fork & run like most of the buffoons above are saying, but they're doing their best to help save the internet as a whole by fixing such a crucial piece of infrastructure that is now coming from the devs who created openssh.
Comment
-
Originally posted by GreatEmerald View PostWell, OpenSSL licensing is crazy: it's under Apache 1.0 and the 4-clause BSD license, which requires the words "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit" to be present in any redistributions. This was the reason why GnuTLS was created in the first place. Since OpenBSD is not affiliated with OpenSSL, I doubt they would keep the license.
I had a similar interest in the license they plan to use and quickly looked at OpenSSH for comparison:
The original license is kept in existing files but new files use the 2-clause BSD license.
Comment
-
Originally posted by GreatEmerald View PostUgh. More reason to prefer GnuTLS until all this is over.
Well, OpenSSL licensing is crazy: it's under Apache 1.0 and the 4-clause BSD license, which requires the words "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit" to be present in any redistributions. This was the reason why GnuTLS was created in the first place. Since OpenBSD is not affiliated with OpenSSL, I doubt they would keep the license.
Comment
-
Originally posted by GreatEmerald View PostUgh. More reason to prefer GnuTLS until all this is over.
GnuTLS does not have a reputation of following high coding standards, so I'm not sure I would advise using GnuTLS over OpenSSL.
Comment
-
Originally posted by gamerk2 View PostPardon me for saying: But shouldn't there be a well established group of baseline/regression tests that should be run against any code change? Because this is a REALLY stupid bug that should have been found within minutes of it being introduced.
If you're telling me you can make changes without running any established test procedures, then you have bigger problems to worry about.
I don't know about the testing procedure of OpenSSL, so I can't comment, would testing have picked up this bug?
Comment
-
Originally posted by erendorn View PostIt's not like GnuTLS had a critical bug discovered two months ago... ( http://www.gnutls.org/security.html )
GnuTLS does not have a reputation of following high coding standards, so I'm not sure I would advise using GnuTLS over OpenSSL.
Comment
Comment