Jump to content

OpenSSL To Fork


ebrke

Recommended Posts

V.T. Eric Layton

I saw the title to this thread and my first thought was, "Well, it's already forked, actually." ;)

Link to comment
Share on other sites

V.T. Eric Layton

Gads! They could have thought of a more original name. LibreSSL? :( I would have preferred something like "BypassSSL" or "StintSSL" or maybe "PacemakerSSL." ;)

Link to comment
Share on other sites

Guest LilBambi

LibreSSL works fine. In the vein of LibreOffice.

 

Interesting way to get donations LOL!

 

LibreSSL has launched with a deliberately bare-bones website, written in comic sans and using blinking text for the "coming soon" sign. Philanthropists can donate "to stop the comic sans", which is "scientifically designed to annoy web hipsters".

 

Actually, I would love to see OpenSSL have more clarity and encourage more developers/eyes.

 

BTW: I don't mind the Comic SANS. ;)

Link to comment
Share on other sites

From what I've heard, there's been a LOT of code stripped out of libreSSL since the forking.

 

I wonder how many bugs are being introduced in this process?

 

Adam

Link to comment
Share on other sites

Guest LilBambi

OpenSSL code beyond repair, claims creator of “LibreSSL” fork - arstechnica

 

OpenBSD developers "removed half of the OpenSSL source tree in a week.

 

...

 

OpenBSD founder Theo de Raadt has created a fork of OpenSSL, the widely used open source cryptographic software library that contained the notorious Heartbleed security vulnerability.

 

OpenSSL has suffered from a lack of funding and code contributions despite being used in websites and products by many of the world's biggest and richest corporations.

 

The decision to fork OpenSSL is bound to be controversial given that OpenSSL powers hundreds of thousands of Web servers. When asked why he wanted to start over instead of helping to make OpenSSL better, de Raadt said the existing code is too much of a mess.

 

Theo de Raadt - Wikipedia

 

Theo de Raadt is a software engineer who lives in Calgary, Alberta, Canada. He is the founder and leader of the OpenBSD and OpenSSH projects, and was a founding member of the NetBSD project.

 

I would say he knows a bit about security. If he says the code needed to go so it could be rebuilt, I would tend to believe he knows what he is doing. I would tend to be more concerned about the OpenSSL code that is still being used.

 

I look forward to the code that Theo de Raadt and his new crew of developers come up with, personally.

Link to comment
Share on other sites

This really strikes me as knee-jerk opportunism. Yes, OpenSSL has issues. That much is very obvious. There stuff in the code that is for very specific legacy applications. There's some things in it that are simply unnecessary.

 

However, does that warrant running off with the code, and trying to reinvent the wheel?

 

When asked what he meant by OpenSSL containing "discarded leftovers," de Raadt said there were "Thousands of lines of VMS support. Thousands of lines of ancient WIN32 support. Nowadays, Windows has POSIX-like APIs and does not need something special for sockets. Thousands of lines of FIPS support, which downgrade ciphers almost automatically."

 

They seem to be concerned with bringing down the complexity of the code- a good thing- but will OpenSSL benefit from this?

 

Writing open source software is hard.

 

TrueCrypt is a project lauded for being a stable and mature project. However, there are many that want to know about how secure the code really is, so a security audit has been funded for TrueCrypt. One part of the audit is complete, and here is an excerpt from the executive summary of the audit report:

 

 

 

 

 

Overall, the source code for both the bootloader and the Windows kernel driver did not meet expected standards for secure code. This includes issues such as lack of comments, use of inse- cure or deprecated functions, inconsistent variable types, and so forth. A more in-depth discus- sion on the quality issues identified can be found in Appendix B.

 

From: https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf

 

When you have multiple coders working on the same project in an open source environment, you have issues with code. These folks are volunteers, and they will guard their code closely because they wrote it. The project admins don't want to rock the boat too much, so they don't give these guys too hard of a time, lest they lose the talent. On top of that, coders move from the project after a period of time, and other coders must come in to replace them. How do they know/understand fully the code that's already been written? And then we have projects being forked, exacerbating the problem even more.

 

All the above relates to quality, readability, and complexity of the code. What about security?

 

I think forking the project was the wrong move. I suspect it boiled down to a difference of opinion. One developer wanted to lead the charge for change, but now we have to contend with a mess of code that will have to be cleaned up in stages. I think it would have been better to work within the OpenSSL project (one that has a large user base already), and get it up to snuff.

 

Adam

Link to comment
Share on other sites

Guest LilBambi
They seem to be concerned with bringing down the complexity of the code- a good thing- but will OpenSSL benefit from this?

 

It's open source. Of course OpenSSL can make use of it too.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...