Slashdot Mirror

← Back to Stories (view on slashdot.org)

DoD team nears Security Validation of OpenSSL

Posted by CmdrTaco on from the something-to-think-about dept.

tadelste writes "An important DoD program took a page from Open Source and Do-It-Yourself-IT (DIYIT) and applied for their own Security Validation. In this article Steve Marquess says:as a taxpayer, I felt very annoyed. But it made me realize a couple of things. First, if OpenSSL had been validated, then it was possible for us to do it again. Secondly, if we could do it we could save a lot of money for the program."

5 of 109 comments (clear)

  1. Summary misleading by pavon · · Score: 5, Informative

    That summary is potentially misleading because it leaves out the reason why he was annoyed. Here is the whole paragraph:

    Because OpenSSL has a BSD-style license, many vendors simply grabbed the source code and incorporated it into their proprietary products. Those vendors wanted literally hundreds of thousands of dollars in licensing fees. As Steve attests, "as a taxpayer, I felt very annoyed. But it made me realize a couple of things. First, if OpenSSL had been validated, then it was possible for us to do it again. Secondly, if we could do it we could save a lot of money for the program."

    So he was annoyed at vendors who he thought were ripping the governent off, not at the wastefullness of the government auditing OpenSSL as I read the summary to say.

  2. Re:good for this Steve guy by cpghost · · Score: 2, Informative

    For non-US readers : The US government has issues of spending bloat.

    LoL! Name just one government worldwide that doesn't have that specific problem!

    --
    cpghost at Cordula's Web.
  3. OpenSSL *is* Free Software by lordcorusa · · Score: 4, Informative

    I really hate to get pedantic, but OpenSSL is Free Software. According to the Free Software Foundation, the OpenSSL license is a Free Software license incompatible with the GPL.

    What you should have said is that the Free Software Foundation recommends developers use the GNU TLS library, but using OpenSSL in non-GPL projects is perfectly okay. Remember, GPL licensed software is only a subset of Free Software.

    --
    The preceding comments reflect the author's personal opinion and are public domain, unless explicitly stated otherwise.
    1. Re:OpenSSL *is* Free Software by Fweeky · · Score: 2, Informative
      Direct from said page:
      The license of OpenSSL is a conjunction of two licenses, One of them being the license of SSLeay. You must follow both. The combination results in a copyleft free software license that is incompatible with the GNU GPL. It also has an advertising clause like the original BSD license and the Apache license.

      Has this changed? The FAQ suggests things are a little shaky.

      Not that I much care; BSD's my preferred license, FreeBSD is my preferred OS, so it's all good. Makes a change from the opposite being the problem (GPL code in BSDish apps).
  4. Re:Ironic by cduffy · · Score: 4, Informative

    Perhaps you should RTFA. They isolated the security-sensitive parts such that most fixes wouldn't touch them, and thus could be applied without revalidation.