Slashdot Mirror

serviscope_minor writes: The OpenBSD people forked and heavily cleaned up OpenSSL to create LibreSSL due to dissatisfaction with the maintainance of OpenSSL, culminating in the heartbleed bug. The emphasis has been on cleaning up the code and improving security, which includes removing things such as SSL2 which has fundamental security flaws. As a result, LibreSSL is not affected by the DROWN bug. LibreSSL is largely compatible with OpenSSL. The main exceptions are in the cases where programs use insecure functions removed from libreSSL, or require bug compatiblity with OpenSSL.

Noryungi (70322) writes Theo De Raadt roundly criticized NTP due to its recent security advisories, and pointed out that OpenBSD OpenNTPD was not vulnerable. However, it also had not been made portable to other OS in a long time. Brent Cook, also known for his work on the portable version of LibreSSL (OpenBSD cleanup and refactoring of OpenSSL) decided to take the matter in his own hands and released a new portable version of OpenNTPD. Everyone rejoice, compile and report issues!

It's been a long time since Slashdot has awarded the Beanies -- nearly 15 years, in fact. But there's no time like the present, especially since tomorrow edges on the new year, and in early 2015 we'd like to offer a Beanie once again, to recognize and honor your favorite person, people (or project; keep reading) of the past year. Rather than a fine-grained list of categories like in 2000, though, this time around we're keeping it simple: we can always complicate things later, if warranted. So, please nominate below whoever you think most deserves kudos for the last twelve months. Is it ...

• Edward Snowden, for the impact his leaks (though they began in 2013) have continued to make? (Or William Binney, for similar reasons?)
• Nobel Peace Prize winner Malala Yousafzay, who fought a difficult battle for children's right to an education?
• Telescope popularizer John Dobson, who died earlier this year at the age of 98, after bringing space a little more down to earth for many thousands of people?
• May-Britt Moser, her husband Edvard Moser, and John O'Keefe for their discoveries about how the brain navigates through the world?
• Eben Upton, whose little educational hardware project has bloomed into millions and millions of cheap, hackable Linux computers?
• How about Maryam Mirazkhani, the first woman to become a Fields medalist?
• Theo de Raadt, who stepped in with replacement project LibreSSL soon after cracks appeared in OpenSSL, and who's been helming the OpenBSD project since 1995?
• The ESA team that landed a probe on a comet, or the ISRO engineers who managed to send a probe to Mars on a shoestring budget?
• Anita Sarkeesian, for helping draw attention to undue harassment faced by women in the video game world?
• Someone relatively quiet or obscure who's nonetheless made the world better through some kind of interesting innovation or contribution?

Read on below to see how you can take part, and then nominate your favorite in the comments below.

A few guidelines to make this work:

• Please use the title of your post well; in the form "Name: Description of why they're deserving." (Example: "Harold Ramis: Goodbye, and thanks for all the laughs.") That way, your title can help organize the discussion, and will be easy to scan for. (That's how we'll look to credit the first one to suggest a candidate, as well.)
• Speaking of which: please scan the other suggestions first; if you find there one you'd like to argue for or against, better to do it there, rather than start a new thread.
• Please name an actual person, or a specific group of people, so we can send your choice -- or a representative, as appropriate -- some kind of token (to wit, a beanie). But be as creative as you want: the names listed above are just starting points.
• Explain why your choice deserves to be lauded, with links and words; underrated heroes are welcome. If there's a relevant Slashdot story to link to, so much the better, but it's no requirement. Make it clear why your favorite deserves recognition for 2014, even if it's for contributions that started longer ago. Feel free to nominate yourself, but the same guidelines apply.
• Accentuate the positive. We figure beanies sent to Keith Alexander, John Brennan, or Kim Jong Un won't get worn very often. Maybe there can be some anti-Beanies down the road, but for now, name the good guys, of whatever variety.
• You need not be logged in to take part -- anonymous entries are welcome. However, because of comment thresholds, among other reasons, logged in comments may carry more weight.

We'll winnow down the suggestions below into a short list for further consideration -- and perhaps toss in a few more options to boot -- and aim to come up with a deserving new Beanie recipient (possibly more than one) before the first new moon of 2015.

Submit away.

An anonymous reader writes Two months after OpenBSD's LibReSSL was announced, Adam Langley introduces Google's own fork of OpenSSL, called BoringSSL. "[As] Android, Chrome and other products have started to need some subset of these [OpenSSL] patches, things have grown very complex. The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much. So we're switching models to one where we import changes from OpenSSL rather than rebasing on top of them. The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too." First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."

ConstantineM writes: "Bob Beck — OpenBSD, OpenSSH and LibreSSL developer and the director of Alberta-based non-profit OpenBSD Foundation — gave a talk earlier today at BSDCan 2014 in Ottawa, discussing and illustrating the OpenSSL problems that have led to the creation of a big fork of OpenSSL that is still API-compatible with the original, providing for a drop-in replacement, without the #ifdef spaghetti and without its own "OpenSSL C" dialect.

Bob is claiming that the Maryland-incorporated OpenSSL Foundation is nothing but a for-profit front for FIPS consulting gigs, and that nobody at OpenSSL is actually interested in maintaining OpenSSL, but merely adding more and more features, with the existing bugs rotting in bug-tracking for a staggering 4 years (CVE-2010-5298 has been independently re-discovered by the OpenBSD team after having been quietly reported in OpenSSL's RT some 4 years prior). Bob reports that the bug-tracking system abandoned by OpenSSL has actually been very useful to the OpenBSD developers at finding and fixing even more of OpenSSL bugs in downstream LibreSSL, which still remain unfixed in upstream OpenSSL. It is revealed that a lot of crude cleaning has already been completed, and the process is still ongoing, but some new ciphers already saw their addition to LibreSSL — RFC 5639 EC Brainpool, ChaCha20, Poly1305, FRP256v1, and some derivatives based on the above, like ChaCha20-Poly1305 AEAD EVP from Adam Langley's Chromium OpenSSL patchset.

To conclude, Bob warns against portable LibreSSL knockoffs, and asks the community for Funding Commitment. The Linux Foundation has not yet committed support, but discussions are ongoing. Funding can be directed to the OpenBSD Foundation." Update: 05/18 14:28 GMT by S : Changed last paragraph to better reflect the Linux Foundation's involvement.

An anonymous reader writes "As some of you may know, the OpenBSD team has started cleaning up the OpenSSL code base. LibreSSL is primarily developed by the OpenBSD Project, and its first inclusion into an operating system will be in OpenBSD 5.6. In the wake of Heartbleed, the OpenBSD group is creating a simpler, cleaner version of the dominant OpenSSL. Theo de Raadt, founder and leader of OpenBSD and OpenSSH, tells ZDNet that the project has already removed 90,000 lines of C code and 150,000 lines of content. The project further promises multi-OS support once they have proper funding and the right portability team in place. Please consider donating to support LibreSSL via the OpenBSD foundation."