DoD team nears Security Validation of OpenSSL

tadelste writes "An important DoD program took a page from Open Source and Do-It-Yourself-IT (DIYIT) and applied for their own Security Validation. In this article Steve Marquess says:as a taxpayer, I felt very annoyed. But it made me realize a couple of things. First, if OpenSSL had been validated, then it was possible for us to do it again. Secondly, if we could do it we could save a lot of money for the program."

Summary misleading

[pavon]

That summary is potentially misleading because it leaves out the reason why he was annoyed. Here is the whole paragraph:

Because OpenSSL has a BSD-style license, many vendors simply grabbed the source code and incorporated it into their proprietary products. Those vendors wanted literally hundreds of thousands of dollars in licensing fees. As Steve attests, "as a taxpayer, I felt very annoyed. But it made me realize a couple of things. First, if OpenSSL had been validated, then it was possible for us to do it again. Secondly, if we could do it we could save a lot of money for the program."

So he was annoyed at vendors who he thought were ripping the governent off, not at the wastefullness of the government auditing OpenSSL as I read the summary to say.

Re:good for this Steve guy

[cpghost]

For non-US readers : The US government has issues of spending bloat.

LoL! Name just one government worldwide that doesn't have that specific problem!

Re:microsoft not secure

[xanadu-xtroot.com]

It would be nice if the "yea, wait until more people use Linux" had a clue what they were talking about, especially since has exactly NOTHING to do with Linux.

Look, I'm a die-hard Linux user (that even boarders on Zealot). I've been using "Linux" for 7 or so years now (RH 5.1 is the first "Linux" I tried). THe "yea, wait until more people use Linux" people are right.

Sure, OK, all teh source code to everthing on this machine is out there (well, except for the nVidia module, but...), but if only something like 10% of all teh computer users on this even use "Linux", that would leave a tiny percent of people that actually understand the ccode enough to validate it.

Again, I've been using this OS for a good few years, and I can honestly say I'm no coder. OK, I can hammer out some really simple "Hello World" programs in a few languages, but that doesn't mean I can validate the Kernel...

OpenSSL *is* Free Software

[lordcorusa]

I really hate to get pedantic, but OpenSSL is Free Software. According to the Free Software Foundation, the OpenSSL license is a Free Software license incompatible with the GPL.

What you should have said is that the Free Software Foundation recommends developers use the GNU TLS library, but using OpenSSL in non-GPL projects is perfectly okay. Remember, GPL licensed software is only a subset of Free Software.

Re:OpenSSL *is* Free Software

[Fweeky]

Direct from said page:

The license of OpenSSL is a conjunction of two licenses, One of them being the license of SSLeay. You must follow both. The combination results in a copyleft free software license that is incompatible with the GNU GPL. It also has an advertising clause like the original BSD license and the Apache license.

Has this changed? The FAQ suggests things are a little shaky.

Not that I much care; BSD's my preferred license, FreeBSD is my preferred OS, so it's all good. Makes a change from the opposite being the problem (GPL code in BSDish apps).

Re:Ironic

[cduffy]

Perhaps you should RTFA. They isolated the security-sensitive parts such that most fixes wouldn't touch them, and thus could be applied without revalidation.

Re:microsoft not secure

[NuclearDog]

Requiring an executable flag to be set on a file before it can be executed, rather than executing all files that end in .scr, .exe, .com, etc. no matter where they came from?

ND