OpenBSD Team Cleaning Up OpenSSL
First time accepted submitter Iarwain Ben-adar (2393286) writes "The OpenBSD has started a cleanup of their in-tree OpenSSL library. Improvements include removing "exploit mitigation countermeasures", fixing bugs, removal of questionable entropy additions, and many more. If you support the effort of these guys who are responsible for the venerable OpenSSH library, consider a donation to the OpenBSD Foundation. Maybe someday we'll see a 'portable' version of this new OpenSSL fork. Or not."
Yes, Theo has a bad temper and is not filtering carefully enough what he says, but his heart is in the right place, and he's a fucking great leader. I don't mind one bit his bad temper, because it usually hits those that really deserve it. And on the other hand, he's one of the most effective open source leaders.
I think my CC number got stolen.
Obviously since OpenBSD is running their fork of OpenSSL 0.9.8 which essentially doesn't have this exploit, this is just a shameless plug.
But having an OpenBSD vetted OpenSSL 1.0.1g+ for Ubuntu, now that would be something!
If they're doing a large-scale refactoring, a regression test suite is really advisable (in addition to static code analysis) to ensure that they don't create new, subtle bugs while removing things that might look like crud. Does anyone know how good their test coverage is?
Koans and fables for the software engineer
$30,949 is how much the OpenBSD Foundation received in donations in 2013. That has to get fixed as their expenses were $54,914 and only a one-time transfer from an old account covered the deficit.
The community that depends on OpenSSH, OpenNTPD and the like needs to figure out how to support these projects.
Personally I'd like to see the Foundation offer targeted donations to specific projects with a percentage (~20% perhaps) going into the general operations fund. I bet there are a bunch of people who would throw a hundred bucks at OpenSSH but would be concerned that a general donation would go to some odd thing Theo is doing (whether that be fair or not).
And if "Fixing OpenSSL" were one of the donation options, then hold on to your hats - I think we're all in agreement on this. We do know that the folks currently working on the projects are paid by others but if the Foundation can get enough money to offset expenses then it could actually do some development work and possibly finally take care of some sorely-neglected tasks on a few of these codebases.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
... in a safe(er) language.
I wish the Go language supported building of shared libraries. Would be a nice implementation language for software like this.
I have little doubt that the OpenBSD team will significantly improve the code.
much of left-wing thought is a kind of playing with fire by people who don't even know that fire is hot - George Orwell
We also have a comment from the FreeBSD developer Poul-Henning Kamp.
He starts by saying "The OpenSSL software package is around 300,000 lines of code, which means there are probably around 299 bugs still there, now that the Heartbleed bug — which allowed pretty much anybody to retrieve internal state to which they should normally not have access — has been fixed." After that he notes that we need to ensure that the compiler correctly translates the high-level language to machine instructions. Later Kamp rants a bit about the craziness of CAs in general — would you trust "TÜRKTRUST BLG LETM VE BLM GÜVENL HZMETLER A.."? Then he lists some bullet points about things that are wrong in OpenSSL:
- The code is a mess
- Documentation is misleading
- The defaults are deceptive
- No central architectural authority
- 6,740 goto statements
- Inline assembly code
- Multiple different coding styles
- Obscure use of macro preprocessors
- Inconsistent naming conventions
- Far too many selections and options
- Unexplained dead code
- Misleading and incoherent comments
"And it's nobody's fault. No one was ever truly in charge of OpenSSL, it just sort of became the default landfill for prototypes of cryptographic inventions, and since it had everything cryptographic under the sun (somewhere , if you could find out how to use it), it also became the default source of cryptographic functionality. [...] We need a well-designed API, as simple as possible to make it hard for people to use it incorrectly. And we need multiple independent quality implementations of that API, so that if one turns out to be crap, people can switch to a better one in a matter of hours."
Ted Unangst wrote a good article called "analysis of openssl freelist reuse"
His analysis:
it's a very good read.
Trolling is a art,
Removal of ancient MacOS, Netware, OS/2, VMS and Windows build junk
Removal of “bugs” directory, benchmarks, INSTALL files, and shared library goo for lame platforms
Ripping out some windows-specific cruft
Removal of various wrappers for things like sockets, snprintf, opendir, etc. to actually expose real return values
There's no doubt that OpenSSL needs work, but they seem to be needlessly combining actual security review with "break every platform that I don't like." At a minimum, anyone else trying to benefit from this will need to unravel the worthwhile security changes from the petty OS wars crap.
Just wanted to give my thanks to freetards everywhere for breaking the internet!
Sent from my Windows 8 Phone.
Apparently you didn't read the second news item on the OpenBSD news site, where they reached their 2014 funding goal of $150,000 last week.
Should they not be getting some tax funding??? This is so ironic projects like this that if they fail can take down the next every company that uses these projects pays taxes should tax money not be given with out any strings like no nsa back doors or the sort but rather make sure all bugs are taken care of? To many companies profit from ssl yet the project that maintains it is on very week standings.
I read that as discarding stuff for Windows 98, 2000, and other ancient platforms that have fallen almost entirely from use, and certainly outside the pool of what's tested: A good thing.
The first step to cleaning up the code is getting it into a state where you're not leaving crap in place because 'It's for something I don't understand.'
That's what got us in the current OpenSSL mess in the first place.
Additionally, once the core code is cleaned up you can always follow the changelogs and merge the legacy stuff back in (assuming they're using git, or another VCS with a good git check(in/out) module.)
Honestly anyone still running any of those OSes is probably running a 0.9 series library and thus wasn't vulnerable to this bug to begin with. Who knows how many of those alternate paths even still worked anymore.
It's a fork specifically for OpenBSD. Why would they keep support for other OSes?
I agree that if they were trying to create a general replacement fork of OpenSSL, that those would be bad things, but for what they're trying to do, these are good decisions. They're trying to improve OpenBSD's security - OpenSSL is a big attack surface, and they're trying to make it smaller by removing the things they don't need.
This will complicate things both ways, going forward. Updates to OpenSSL might be harder to integrate with OpenBSD's fork (if it becomes an actual independent product, can we call it OpenOpenSSL? Or Open^2SSL?), if it touches upon the altered parts. Likewise, anyone trying to merge an Open^2SSL fix into OpenSSL might have difficulty. I expect that if OpenBSD's fork of OpenSSL becomes a separate project, one or the other will die off, simply due to all that duplicated effort.
What I expect to happen in that case is that Open^2SSH will maintain compatibility with all the platforms OpenSSH or OpenSMTPD (which are OpenBSD projects) support - pretty much any Unix-like environment, including Linux, BSD, OS X, Cygwin, and most proprietary Unices. If there's enough desire for support for other platforms, a second fork might happen to maintain them, but I honestly doubt it (Mac OS 9? Really?).
I think the point is to have as little code as possible, and to have no code that isn't covered by their tests. Both of which are excellent ideas if you want to write secure code.
Have you read the OpenSSL code base? A lot of what appears inside an #ifdef WIN32 is complete garbage and in most cases you'd be fine with the normal libc stuff the Unix version gets.
It's not remotely about petty OS wars. Complexity is bad for security, mmkay? If you want a newer version of openssl for OS/2, netware, or pre OSX MacOS, I'd really like to know what exactly you are doing. Dropping those platforms is the right thing.
Indeed. Most coders just add more code when they run into an issue. That is a problem for normal code, but it is death for anything security-critical.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The OpenBSD has started
The OpenBSD cometh.
Or simply support and use the GnuTLS!
both have their own set of problems, but at least now you have the a alternative.
Higuita
I checked the CVS comments last night; pretty sure they are working off 1.0.1g. Based on the commit comments they are breaking it into pieces (using the crypto functionality of OpenBSD not OpenSSL) as well as ditching all the code that is intended to make it work on other systems. It looks like the final product will be integrated in the base - not portable.
It's a fork specifically for OpenBSD. Why would they keep support for other OSes?
You only fork when you want to put distance between the original; there is nothing stopping them from making changes/"improvements" to the original OpenSSL project except for scope constraint (i.e. if they just want OpenBSD to be secure) or ego. Either one stinks of selfishness. I cant criticize them directly since they are still doing all of their work for "free" and are publishing it freely, but it has to be pointed out that they are choosing the greater of two evils.
Their theory is that they need an SSL system for OpenBSD. They're not trying to build it for other platforms, and the extra code adds complexity (and can contain vulnerabilities) so they're not going to maintain it. They're cutting out unnecessary cruft. That cruft may be needed for some users, but OpenBSD doesn't have any use for OS/2 support.
Not a sentence!
The OpenBSD project has some history of being funded by the American federal government (perhaps indirectly, as there was some sort of university involved).
To summarize, that ended rather poorly.
The project is officially headquartered in Canada, home of Theo (project lead) and also someone else with ties to the University of Alberta (which is probably related to why University of Alberta has benefited from early use of anti-spam techniques in OpenBSD, and why University of Alberta is a distribution site, hosting the main website last time I checked).
A lot of the government funding that I hear about comes from an organization like the NSF, which is the (American) National Science Foundation. I don't hear about nearly as much funding from the Canadian national government. Then again, I am American, so that makes it a bit less surprising if I'm more familiar with programs that involve the American government. (It is quite possible that Canada does do more than what I am aware.)
The ancient garbage needs to go. If the platform is effectively dead and the developers can't test against it, delete the code its time for the lazy/cheap to upgrade it they want support/improvements.
$30,949 is how much the OpenBSD Foundation received in donations in 2013.
That's about $29,000 more than OpenSSL receives every year, and still $22,000 more than they received this month when the entire world realized that they had been freeloading and scrambled to make themselves look good by making one-time donations.
Indeed. If there are still a significant-enough number of OS/2 users out there to warrant OpenSSL upgrades, then someone will fill the need. But we all know there isn't enough users of these old OSs to actually warrant ancient code being maintained.
The world's burning. Moped Jesus spotted on I50. Details at 11.
Yes, Theo has a bad temper
That rant would be epic. But seriously, the login doesn't even work. Showing stories doesn't work. There's no post new message button. There's only a reply to button. How do we disable this crap? I see the "click here to return to the Classic version of Slashdot" link has been disabled. I guess too many people were using it. How do I disable it so I can login again?
With something as big and messy as crufty as OpenSSL, there probably isn't a sane way to approach the problem of decrapifying it that doesn't involve first stripping it down to the minimum.The OpenBSD devs aren't Windows devs, Apple Devs, or Linux Devs. There is no "greater evil" in making something more secure in less time for your own platform when contorting themselves to maintain compatiility keeps junk that slows them in their task to the point they don't every get to the clean secure rewrite.
they are choosing the greater of two evils.
No.
Eventually supporting too many screwy and ancient systems starts to cause just so many problems that it is really, really hard to write solid, well tested, clear code. The heartbleed bug was exactly a result of this. Because of supporting so many screwy platforms, they couldn't even rely on having malloc() work well. That means they had their own malloc implementation working from internal memory pools. Had they not, they would have benefited from the modern mmap() based implementations and you'd have got a segfault rather than a dump of the process memory.
Supporting especially really old systems means having reimplementations of things which ought to be outside the scope of OpenSSL. Then you have to decide whether to always use the reimplementation or switch on demand between the custom one and the system one and whether or not to have some sort of quirk/bug correction.
This sort of stuff starts to add up and lead to a maintainance nightmare.
What OpenBSD are doing: throwing out all the accumulated crud and keeping the good parts is a fine way to proceed. It will almost certainly be portable to the other BSDs, OSX and Linux since they provide similar low level facilities. I doubt a port back to Windows would be hard because modern windows provides enough sane facilities that it's generally not too bad for heavily algorithmic code like this.
Basically there's no way for them to get started except to first rationalise the code base and then audit it.
SJW n. One who posts facts.
Otherwise known as "the only sane way to simulate exceptions in C". Seriously. Read up on how "goto" is used in low-level code bases such as OS kernels, instead of citing some vague memory of a 1960s paper without understanding its criticisms.
People who don't use goto for error handling in C more often than not either have incorrect error handling or way too much error-prone duplication of resource cleanup code. It makes sense to very strictly warn newbies away from goto, much in the same sense that you warn them from multithreading. You don't want them used as a universal hammer for every nail in the code. At some point though, people need to jump off the bandwagon and learn to respect, not fear, these things that actually have some very compelling uses.
There's no doubt that OpenSSL needs work, but they seem to be needlessly combining actual security review with "break every platform that I don't like." At a minimum, anyone else trying to benefit from this will need to unravel the worthwhile security changes from the petty OS wars crap.
I don't see this as a problem. Since OpenBSD is working on their own, for-themselves, branch, they can fix it any way they want. If they do a good job (as expected), the OpenSSL project can then backport their fixes into their project and integrate it to their hearts' content.k (If they chose not to, someone else can chose to fork and do it, and the two versions can fight it out for acceptance.)
This is how it works in the Bazzaar.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
The single heartbleed vulnerability awakened people to actually take a deep look into the OpenSSL code. Where were all the "eyeballs" before that? Now we are in a position where suddenly the whole OpenSSL code needs massive rearchitecturing. It just makes me cringe when I think what other OSS projects possibly have similar serious problems, possibly in mission critical components. It's starting to be quite obvious that there is not enough people to actually take a look under the hood and say, hey this quite crusty code and needs fixing.
I find the open development process of software to be extremely interesting, but am not scared to point out possible flaws in it. So should be no one else.
Maybe it's time to realize that OpenSSL has become obsolute. For me it's totally unacceptable that even now the documentation is [STILL INCOMPLETE]. Instead of wasting time with cleaning up a pile of dirt, use that time to start supporting PolarSSL in all your applications. Its code is clean and it is well documented. Once you give PolarSSL a try, I'm sure you will wonder why the hell you were using OpenSSL all that time.
It doesn't have to be like this. All we need to do is make sure we keep talking.
There's no doubt that OpenSSL needs work, but they seem to be needlessly combining actual security review with "break every platform that I don't like." At a minimum, anyone else trying to benefit from this will need to unravel the worthwhile security changes from the petty OS wars crap.
They are fixing OpenSSL for their own needs, probably with little or no expectation of use on other projects.
They did the same thing with SSH: they took the original SSH code, forked last open source copy before it went closed source, and created OpenSSH. Then a "portable" variant was created to run it on non-OpenBSD systems--which basically everyone else now runs.
I'm guessing the same will happen here: clean up the original and then at some point someone may make it portable.
No you fool. "Do one thing and do it well". They're applying the tried and true Unix Philosophy. That's all this is about. Complexity Doesn't matter. It's the doing of the one thing, and wellness. Doing of all the things is the scourge of existence.
Get your priorities straight, or I'll beat you sensless with a lathered up POSIX roped soap, as it's the one thing a dirtyhippie can do with it well.
It's a fork specifically for OpenBSD. Why would they keep support for other OSes?
You only fork when you want to put distance between the original; there is nothing stopping them from making changes/"improvements" to the original OpenSSL project except for scope constraint (i.e. if they just want OpenBSD to be secure) or ego. [...]
A third option: you feel the upstream folks are incompetent and don't want to bother with trying to get them to see your way.
I think it's a bit of #1 and #3.
Surely some (back)porting will take place if those patches are useful for the original branch as well. The pursuit of code clarity(tm) is good when things get muddy and hearts are bleeding.
Comment removed based on user account deletion
Doesn't matter, it's still his project. Donations to OpenSSL need to be donations to OpenBSD. Theo has ultimate responsibility for everything that happens with OpenSSL, including Heartbleed.
It's good that he's ordering a cleanup.
At the same time, the state of this critical infrastructure project under his control demonstrates how good at security he is far better than a thousand rants.
it's ridiculous to be forced to donate to OpenBSD if you want to support OpenSSH. OpenBSD is irrelevant, while OpenSSH is critical infrastructure.
We've been having this argument on Slashdot for over a decade.
By now, Theo has demonstrated through the state of the OpenSSH code that he is incompetent and can not be trusted to run the OpenSSH foundation.
If they end up stripping it down to a minimal library with the core functionality, cleaning up the public interface (e.g. exported functions), and making it easy to create your own OS-specific wrapper around it, then they are actually doing something that should have been done in the first place. If they do it right, it will become much more popular (and most likely more light-weight and secure) than the current OpenSSL project.
Actions have consequences.
I follow the OpenBSD mailing lists on and off, and OpenBSD project members are raging assholes a lot of the time; this trickles down to users, as well (whether it's because they seek to emulate the project, or because non-assholes are driven away, I'm not sure).
This is a toxic environment that I have no desire to be part of, nor do I want to support it. I use OpenSSH frequently, but because there are such jerks associated with the project, I'd rather give money elsewhere. Someone else will pick up OpenSSH if OpenBSD dies.
In short: there are a lot of projects worth donating to. I have to sort them somehow, and OpenBSD helps me do that by slotting themselves near the bottom.
They should clean up all the "Open" projects like OpenOffice and OpenWindows.
I've not liked some of the things I've heard from Mr. de Raadt in the past because they seemed to be less fact than emotion, but in this case Theo has redeemed himself in a big way.
Like it or not, OpenSSL is now one of the most important pieces of software in the world. OpenSSL protects people's bank account numbers, credit card numbers, medical records, and employment records. OpenSSL protects corporate and government secrets (hopefully in combination with other defensive tactics). OpenSSL is not used for all encrypted network sockets, but it is widespread, to say the least.
de Raadt and his team are stripping OpenSSL down to its bare minimum. That is exactly what we all need. When someone's device creates an encrypted HTTP connection to another device, you want that functionality to work perfectly. That is the vast majority of use cases, and that most important use of OpenSSL failed in a spectacular fashion.
You don't care about being able to build OpenSSL on anything right now except OpenBSD. That is the platform de Raadt's team will be using for testing. You don't care about high-performance wrappers. Computers are lightning fast now, have gigantic amounts of memory, and network speeds are phenomenal compared to the requirements of using an HTTPS connection. OpenSSL today does not want for any system resource, even on a telephone or an embedded platform.
You don't need a platform on which to perform experiments in cryptography. OpenSSL was being used by scientists and mathematicians and the NSA to test new ideas. That is not an appropriate use for the mainline OpenSSL distribution.
Once de Raadt's team is finished, one or more of the hundreds of thousands of Windows programmers can spend a few weeks re-adding their build architecture and necessary wrappers for the latest versions of Windows and some Linux people can do the minor porting on that platform.
Perhaps the original OpenSSL can be relegated back to the laboratory. If you've ever used the OpenSSL command line programs, it feels like you're working with test tubes and bunsen burners. From what I've read of the code, it is no better.
For starters I am by no means an expert in programming. I know enough to be dangerous, and to serve my own personal projects. :) )
A while back a programmer friend of mine was guiding me in programming. Back then I wrote some C code, and in a error handling routine, I used the dreaded GOTO statement.
Boy did this unleash his complete wrath. He could talk about nothing else afterwards.
I was berated, screamed at, told I will never be a good programmer. I should give up now. GOTO's are the tools of a lazy ignorant and bad programmers. I am the worst programmer ever.. On and On. Any programmer that uses GOTO is a bad bad lazy programmer.
I then grepped through Linux kernel sources, and showed him that I found over 200 uses of GOTO's. He of course said they are not real programmers and they are just hacks, are lazy and stupid..... On and On...
So out of curiosity about the OpenSSL bug the other day, I looked at the sources, and low and behold, GOTO's everywhere.
I was shocked. Was this very important software written by hacks? Lazy, bad programmers? No wonder the serious security flaw..
Is GOTO the gold standard of a bad lazy programmer?
So I must ask you guys.. What's the deal? (needless to say I don't use them anymore
You shouldn't really put OpenSSH and OpenNTPD in the same sentence... 2k http://qa.debian.org/popcon.ph... vs. 65k http://qa.debian.org/popcon.ph...
Targeted donations are great and all, but I think corporations that NEED this security layer should step up. Banks for example - oh hell, the clearly don't give a crap if they can cry to Congress for a bailout.
If I were Zuckerburg, I'd go big and throw in 50 million for a rewrite effort. The publicity alone would be gold. Facebook could brag for years how they take their user's information and privacy seriously enough to pay. God, they already spent billions on a photo sharing app and VR glasses, 50 million would be round off in comparison.
I agree that ripping out platforms they don't care about is not the maximally altruistic path; but is the delta between the altruistic path and the more altruistic path really 'selfishness'? That just seems to strain the definition a bit...
They also just don't have much in the way of resources, so even things that are doable from a software engineering standpoint may well be impractical from an available man-hours standpoint, and pretty much anything is probably taking time away from some other aspect of OpenBSD development.
You said: Here's the thing: OpenBSD is a hobby OS. Ha Ha.
That's funny. Some of the most prestigious companies and organizations on the planet use OpenBSD for a number of tasks. I've worked for three myself where OpenBSD figures prominently. Of the three I've worked for, one is the largest ISP in the US, another an IT consulting firm with a very specialized IT security knowledge whose clients demand only the very best, whose own infrastructure must be protected at all costs. OpenBSD is no joke, no hobbyist OS. BSD in general, while not getting anything near the popularity or mention of Linux, is far and away a better server choice than Linux in most areas, even more recently moving into the embedded space, especially OpenBSD and NetBSD. BSD is freaking stable. Short of a hardware failure, I've never had a BSD server go down for anything other than routine maintenance, and even this is infrequent.
OpenBSD isn't fancy, it's not pretty, it gets no real limelight, but it does an incredible job as a firewall, Webserver, gateway, you name it. Were I to run my own company, it would be BSD in the server room and Linux on the desktop. I've been working with and around BSD for the better part of 20 years. There is nothing hobby-like about it.
Well, there's also nothing stopping OpenSSL from pulling in the changes made in OpenBSD. And they'd certainly better if any of them have any smarts at all.
$30,949 is how much the OpenBSD Foundation received in donations in 2013.
And yet... I heard OpenSSL itself gets at most $2000 in a typical year. Despite tens of thousands of banks, retailers, hardware manufacturers, software manufacturers, all relying on their code in a security critical fashion to support their business activities. The MOST the OpenSSL project gets in contributions is a mere shilling?
And no real support for high quality code review, maintenance, and release management. Just support for adding feature bloat.
Because of supporting so many screwy platforms, they couldn't even rely on having malloc() work well. That means they had their own malloc implementation working from internal memory pools. Had they not, they would have benefited from the modern mmap() based implementations and you'd have got a segfault rather than a dump of the process memory.
At the very least they should have looked for a third-party one that's used at many other places (e.g., tcmalloc, jemalloc).
It's hard to be good at everything in the modern world: the OpenSSL folks should focus on security, and leverage the work of virtual memory experts where needed.
BSDs are estimated to be about 1.0% of all servers on the Internet (as of February 2014, sorry don't have current numbers), OpenBSD a portion of that, FreeBSD a bigger portion.
Hmm, how many folks are running Juniper? (They're running FreeBSD-based system.) Also: EMC Isilon and NetApp. Spectrum Logic? Who's running Force 10 (i.e., NetBSD)?
How many folks are running OpenSSH? How about using bcrypt?
If no one ends up using "OpenOpenSSL": oh well. But if the OpenBSD folks can fork OpenSSL (like they did with SSH) and turn it into another OpenSSH, then I say it's worth some encouragement.
They didn't remove any current platforms, only obsolete ones, or code specific to some platform.
> It's a fork specifically for OpenBSD. Why would they keep support for other OSes?
I don't think it is an OpenBSD fork. It is a cleanup, the resulting library will be available on every current system, like, say OpenSSH.
I expect the upstream library to die, and everyone will use the OpenBSD version.
The problem is that it isn't clear from Theo's statement if they are dropping support just for old platforms, or if they are dropping Win32/64 and MacOS support as well.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
My tough guess here is something like valgrind would have helped. Yeah, even though you have the limits of true brk() allocation bundles, valgrind operates more at a byte level. Valgrind in this case would have been useless, because of the custom allocator code.
if you write code that requires a "caching" allocator so much that you break with normal malloc()/free(), you're doing something wrong. If you're doing it in high impact security code, you really should stop everything else and fix what you're doing wrong.
And thus another decade long slashdot argument turns out to be an elementary lexical oversight.
"Yes, Theo has a bad temper and is not filtering carefully enough what he says, but his heart is in the right place, and he's a fucking great leader. I don't mind one bit his bad temper, because it usually hits those that really deserve it. And on the other hand, he's one of the most effective open source leaders."
:)
That's called damning with faint praise
Seriously, just start over:
1. coherent API
2. modular code
3. discard obsolete / deprecated junk
4. profit!
When OpenBSD forked from NetBSD, they fixed many bugs, and fixes were backported in NetBSD. Fixing OpenSSL bugs will benefit everyone, if OpenSSL people are reasonable enough to tick the fixes.
You conveniently skipped Windows there.
I don't know the specifics of what was removed. Maybe it was only to support Windows 9x/ME, or NT 3.x or even Win16. But if it was needed for modern versions of Windows, then this is remotely about petty OS wars.
Banks don't use OpenSSL. They use FIPS certified alternatives. Look at the lists that have been produced of potentially compromised servers, and try to find a bank in there.
It's easy to make petty comments while others are busy doing the work.
OpenSSL folks have recently said they are maxed out. And they have security problems sitting in their bug tracker for YEARS. What is the point?
It's a fork. And it will be usable by any modern unix variant, not just OpenBSD
The stuff that is being cut out isn't just for "other platforms". It's absolutely fucking ancient, and in many cases, probably hasn't even been _compiled_ any time in the last decade.
Or about $900,000 less than OpenSSL receives in paid development work each year.
And if they were using a FIPS certified version of OpenSSL, they would still be compromised. FIPS means....nothing in this context.
Just because no bank was on the list does NOT mean that they were not vulnerable, just that they have too much to lose by admitting it.
OpenSSL is not FIPS certified. Most banks are using NSS, which is.
If your language runtime has a bug instead, it's much more likely to be a very indirect one, because now not only do you likely have to cause a specific behavior in the program itself, but that behavior has to trip up the runtime in a way that causes that bug to lead to something bad.
Yeah and? Has that stopped all the exploits of the Flash runtime and the Sun/Oracle JVM? Nope. In fact, those two are among the most exploited pieces of userspace software on the OS.
How the fuck can everyone misunderstand this? Every time this topic comes up, almost everyone fails to get it.
If you were writing programs in Flash or Java and those programs received data from the internet, those programs would be less exploitable because they were written in a high-level language. However, that's not what people usually do with Flash and Java. They use Flash and Java to run programs they've downloaded from the internet, which means they're left to the security of Flash and Java which are written in C.
Honestly, I don't know why I'm even trying. I'm 100% certain that everyone is going to entirely misunderstand what I've just said.
Look, people. Try to understand: These are two different concepts:
1. It's hard to exploit programs written in high-level languages like Flash and Java.
2. It's easy to exploit high-level language interpreters written in low-level languages like C.
I shall now prepare to be down-modded as a troll, as that seems to be the usual response to someone saying something that everyone else is so incapable of understanding that they assume they must simply be trying to cause an argument.
Frama-C found it.
The caching allocator was irrelevant to the heartbleed bug.
Support my political activism on Patreon.
Switch OpenBSD from the BSD license to GNU GPL v3. Make BSD licensing for donors only, with - of course - a restrictive clause that you can only use BSD licensing if you've donated. I'll admit it's an on-your-honor system, but it will scare most corporations.
GNU GPL v3 is free-enough for most people, and those who need free-er terms can pony up.
I'm perfectly cool with dropping MacOS support. If they make it not work on MacOSX, I'll be annoyed. There's a difference there, although it may not be obvious.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Dropping support for these platforms means getting rid of a lot of files/code/ifs/etc. Less code is easier to review. Better reviewed code has more chances of bugs being caught in time.
Looking at the diffs in tech@, is seems they're dropping DOS, WIN16 and WIN32. I've no idea if there was any WIN64 specific code, but yes, it seem's windows in general is being stripped.
yes we can, they are both projects of The OpenBSD Project:
http://en.wikipedia.org/wiki/O...
I don't see that as damning at all. I see that as a great leader.