Not Just a Cleanup Any More: LibreSSL Project Announced

An anonymous reader writes "As some of you may know, the OpenBSD team has started cleaning up the OpenSSL code base. LibreSSL is primarily developed by the OpenBSD Project, and its first inclusion into an operating system will be in OpenBSD 5.6. In the wake of Heartbleed, the OpenBSD group is creating a simpler, cleaner version of the dominant OpenSSL. Theo de Raadt, founder and leader of OpenBSD and OpenSSH, tells ZDNet that the project has already removed 90,000 lines of C code and 150,000 lines of content. The project further promises multi-OS support once they have proper funding and the right portability team in place. Please consider donating to support LibreSSL via the OpenBSD foundation."

Please change the name!

[cmdrbuzz]

LibreSSL.... Please for the love of code, change the name!

Re:Please change the name!

[TheGratefulNet]

libwressle.so - will be here, sunday, Sunday, SUNDAY!!

Re:Please change the name!

[YoungManKlaus]

just abbrevate it ... LSSL does not sound that bad to me :)

Re:Please change the name!

I think LeSSL would sound better since they are reducing the code base by so much

Re:Please change the name!

[gl4ss]

nothing to do with wrestling but it sounds like it has something to do with certain kind of "monthlies".

Re:Please change the name!

[KermodeBear]

Could not agree more. Sticking Libre! on the front of everything is getting annoying.

Re:Please change the name!

Agreed!

CleanSSL is already better than Libre lol (even if it's still annoying)

Re:Please change the name!

I thought he was making fun of Chekov...

Re:Please change the name!

[ThePhilips]

What is with this reaction of Americans to the French/Latin word "libre"?

Re:Please change the name!

[Mitchell314]

It's the british that use '-re' to sound like 'er'. My guess is that most americans have heard spanish long enough to link '-re' to sound like 'ay'. And have heard canadians long enough to put an 'ay' at the end of any word anyways. :P

Re:Please change the name!

[Pieroxy]

It's not English nor does it has English roots, so they don't like it. It's simple really. You can apply that to many things Americans don't like.

Re:Please change the name!

[ThePhilips]

And yet Americans like the work "liberty". Civil liberties. Statue of liberty. And so on. That is simply inexplicable.

Re:Please change the name!

[dave420]

I'm pretty sure that's not correct - I've not heard any brits pronounce it that way. They would probably pronounce it as "rer", but not "er". "Leebrer", quite possibly, but never "liber".

Re:Please change the name!

[K.+S.+Kyosuke]

Based on my superior knowledge of Indo-European etymology, I assert that the name means that this implementation will be able to take on some extra pounding from the attackers.

Re:Please change the name!

[martin-k]

LibreSSL? LibreOffice?

This reminds me of something...

http://youtu.be/iV3-OdQkXPU

Re:Please change the name!

[geminidomino]

Clearly you haven't been paying much attention to the US lately. Clearly, we don't.

Re:Please change the name!

[r.freeman]

Yeah we merricans prefer now our beloved police-state, big brother of NSA and all. Down with libre, liberty and all such terrorists.

Slavary is Freedom. NSA is Security War is Peace.

Better now?

Re:Please change the name!

[Barsteward]

English shares about 800 words with French, and French tend to use "re" instead of "er" hence words like" theatre" in English.

Re:Please change the name!

[NeverVotedBush]

What's that, LaSSL? Timmy fell down the well? ;-)

Re:Please change the name!

[StripedCow]

Please for the love of code, change the name!

It is a lot better than libiberty:
http://en.wikipedia.org/wiki/L...

Re:Please change the name!

[LoRdTAW]

Oui Oui, Le SSL!

Re:Please change the name!

[phantomfive]

Why? What's wrong with it?

Re:Please change the name!

[Yer+Mom]

So, how about FreedomSSL, then?

Re:Please change the name!

[tendrousbeastie]

I'm British and I always pronounce it as 'leebrer' or 'leebra'.

Re:Please change the name!

[PRMan]

As an American... This sounds AWESOME!

Re:Please change the name!

[Doug+Neal]

Same here although it never feels quite right. To me, it just looks French. In French the R would be silent, but 'leeb office' or 'leeb ssl' would sit even worse (and also sound a bit like 'lib' which could be very confusing)

Re:Please change the name!

The "r" in "libre" wouldn't be silent in french.

Re:Please change the name!

[ildon]

It has nothing to do with "Americans." It has to do with the fact that every single open source project that had a version called "Open Something" now has a fork called "Libre Something," even when the name change doesn't make sense (because the original version was "libre" software, too).

It's just people getting tired of a silly trend and a lazy naming scheme.

Re:Please change the name!

[viperidaenz]

FixedSSL

Re:Please change the name!

[Rising+Ape]

It sounds clunky and awkward.

Re:Please change the name!

[thegarbz]

There's nothing wrong with the word Libre, it's just its use in this context is poor.

Open source has for a long time had a massive problem with naming of programs. I'm not talking about GIMP, I'm talking about naming things in an obvious way, like Photoshop, Paint Shop Pro, both those names mean something, OpenSSL means something too.

The problem is the title clash. OpenOffice, OpenSSL, MySQL, were examples of well named packages where the titles will straight away tell you what the package does. MariaDB wtf? But more importantly the use of the word Libre doesn't differentiate the product.

What is LibreSSL? You mean OpenSSL with a French title? How do projects who's names are synonyms differ? Is LibreSSL somehow free'r than OpenSSL? Or is it the other way around given that OpenSSL is portable to more platforms. Why should I pick one over the other? There's nothing in the title to indicate that they are gutting the code down to size, unlike say TinyVNC.

Why not call it CleanSSL (I didn't say I was better at picking names).
I actually also like the original name suggestion in the blog post, ValhallaSSL. It doesn't mean anything new in the context above but at least it isn't a synonym.

Re:Please change the name!

[thegarbz]

What does Libre mean to you, and how does it apply in the context of LibreSSL vs OpenSSL?

For one, the package with Liberty in the title actually provides less freedoms to the user of how and where they run it. But even if it was just as free to run and use everywhere (which it eventually will be), what does the title actually mean? Assume you've never heard of either package and had to chose them by title. What are the differences?

It made sense for OpenOffice (though I still think LibreOffice is a crap name).

Re:Please change the name!

[phantomfive]

So, your point is that you don't like the name because it doesn't convey meaning?

Re:Please change the name!

[thegarbz]

Not only does it not convey meaning, it's meaning is obfuscated by a similar project that does the same thing with a name that is a synonym. It attempts to convey a meaning that is already in use in another project.

So ... what does LibreSSL mean to you and not knowing anything of the project how does it compare to OpenSSL?

CleanSS?
TightSSL?
BSDSSL?
or my favourite so far:
Secure SSL :-)

Re:Please change the name!

[phantomfive]

Secure SSL :-)

Good call.

I don't think a name whose main purpose would be to distinguish it from OpenSSL would be very useful, since not long from now OpenSSL will be forgotten, and everyone will be using LibreSSL.

Re:Please change the name!

[gmhowell]

What is with this reaction of Americans to the French/Latin word "libre"?

Because the frogs are all about accepting words based in non French?

Re:Please change the name!

[Barefoot+Monkey]

Or they could go with MoreSSL, which sounds delicious.

Re:Please change the name!

[thegarbz]

Is that a given? The first thing the BSD guys are doing is removing any portability in favour of clean code. Then auditing and getting it running on BSD. They've openly said they have no plans to support other systems and the compile already fails on Linux. I'm sure someone will fix it and port it to other systems again. But in general your comment reminds me of a few projects which haven't died yet, Open Office, and MySQL. I was promised the same words you just said when LibreOffice and MariaDB cameout.

Re:Please change the name!

[hobarrera]

You mean spanish, right?

Re:Please change the name!

[Dr.+Blue]

What is with this reaction of Americans to the French/Latin word "libre"?

Don't know about others, but for me it makes me think of Jack Black in tights. And that's just not pleasant.

Re:Please change the name!

[cheesybagel]

I preferred the other name I heard. Open^2SSL.

Re:Please change the name!

[cheesybagel]

LessSSL is actually a better name since they are deleting code rather than adding code.

Re:Please change the name!

[phantomfive]

Well, unless someone else cleans up OpenSSL, it will be going away for sure. Either that or I have too much respect for developers and IT people in this world, and I don't have much.

Re:Please change the name!

[Barefoot+Monkey]

I don't disagree. In fact, I love that idea for a name, and will be delighted if they decide to use it. LibraSSL is very awkward; LessSSL is slick.

Re:Please change the name!

[aestrivex]

but as everyone knows, moreSSL is just an old, crappy library that is clunky and strange and all of whose features are present in lessSSL

Re:Please change the name!

[Karzz1]

I like VSSL -- very secure socket layer :P
It could even be written/pronounced VeSSeL. Loose definitions of vessel could even be applied to the functionality of SSL.

Re:Please change the name!

[Dolda2000]

Do note how you can also read it as libReSSL, though.

Slow clap

[isa-kuruption]

'Nuff said

Or..

[bytesex]

you use polarssl. Which is already exactly that.

Re:Or..

[marcello_dl]

Possibly it would be easier to integrate polarssl than clean up openssl, but they maybe like to work on crypto code instead of on interfaces.
Given that it's a volunteer effort (by them and by those who will volunteer some cash) I do not complain about it anyway.

Re:Or..

[Dancindan84]

That's what I was wondering. The summary is a little vague, and I didn't really get a whole lot of clarity reading the articles as to whether OpenBSD was cleaning up OpenSSL and forking it to LibreSSL, or just cleaning up the code AS they forked it to LibreSSL. It seems like the latter, and if they're not contributing back and keeping LibreSSL OpenBSD only (at least initially), they're solving a problem less than 1% of us are having rather than helping a whole lot more.

I'd much rather see the OpenSSL project itself get cleaned up (or forked/restarted for "everyone" if the code needs more than cleanup) than have it forked and cleaned up for JUST an OpenBSD implementation.

Re:Or..

Are you on crack or just poorly trolling?

How is that even remotely "holding OpenSSL hostage" ??? they make their own version for their pet OS. No one forces *you* or anyone else to use it, no one is forbidden to fix OpenSSL meanwhile (except for these few developpers cleaning up LibreSSL I guess)

If you know how to fix OpenSSL, please be my guest, otherwise just stop spouting nonsense ...

oh, and by the way, seriously, go take a look at the horrible code that they're cleanning up and removing ... double free, missing checks, useless if/else conditions, memory mismanagments, and worse ... that cleanup was long overdue.

Re:Or..

[xxxJonBoyxxx]

PolarSSL doesn't have the same licensing model as OpenSSL, so it's not a drop-in replacement. (https://polarssl.org/how-to-get vs. http://www.openssl.org/source/...)

Re:Or..

[rvw]

It's not about a better OpenSSL. It's about OpenBSD waving its penis around. That's all it is. The OpenSSL team is amenable to aid; but they have two developers and no help. OpenBSD is essentially holding OpenSSL hostage by making their own version, not contributing back, and making it OS-specific to OpenBSD unless you give them money to make it not.

FUD!

It's BSD! Source code will be available. No restrictions! How can they not give it back?

Re:Or..

[serviscope_minor]

Strong, your hatred of OpenBSD is. Blinded you are.

Actually, more like a raging fuckwit you are.

It's not about a better OpenSSL. It's about OpenBSD waving its penis around.

Frankly you're a complete fucking idiot if you think that. Basically if you persist on believing it, you are either ignorant or stupid. If the former, there's no excuse because it've been covered so many times on just slashdot alone. Therefor it's wilful ignorance. Actually I think it's malice because you appear to hate OpenBSD for no rational reason.

OpenBSD want an API compatible, SAFE version of OpenSSL for their operating system. Rather than whining on the internet with their tumb up their ass, they're actually doing something about it. So they can provide a safe, BSD licensed operating system, which is their goal.

The OpenSSL team is amenable to aid; but they have two developers and no help.

So? That's the fault of the 10,000 companies out there who use openSSL but were too stupid to consider it worth chucking a few bucks to the OpenSSL team. The fact that the OpenBSD team is doing something about it is not a fault with the OpenBSD team.

OpenBSD is essentially holding OpenSSL hostage by making their own version, not contributing back, and making it OS-specific to OpenBSD

Well, I guess they should have used a different license then. The OpenBSD folks aren't even makeing it closed source. It's out there if you want it. And it's specific to OpenBSD because---guess what---it's being done by OpenBSD developers. But they're good programmers and good people. It's not going to be heavily tied to OpenBSD. It will be pretty portable code.

OpenBSD unless you give them money to make it not.

OMG nuuuu!!111oneeleven People on the internet aren't working for free for me!! How dare those evil fuckers want to get fucking paid for FUCKING WORK!!! The bastards! They're doing nothing but waving their penises around. How dare they.

whine whine blah blah

No one is obligated to work for you for free. Fact is they actually are because OpenSSL badly needed this cleanup of the outer crap. The OpenBSD people are doing it for free in their own time and it's quite astonishingly arrogant of you (who hasn't donated a dollar or an hour of your time) to complain about how.

The chances are with the code being cleaned up, it will actually be more easily portable to other systems modern than the old code. They're not doing damage because the old code is still there and you can keep using it warts and all for as long as you like.

Re:Or..

[BitZtream]

Not contributing back? Are you fucking retarded? The OpenSSL team can always take fixes from the version that OpenBSD creates.

This has nothing to do with Theo's penis and everything to do with OpenSSL being a monstrous pile of crap that its devs are afraid to touch.

So basically what you want them to do is take your pet project, fix the fact that its a bloated pile of crap, and do it for your OS and your requirements which have absolutely nothing to do with theirs?

You've got to be pretty lazy and extremely selfish to make such a retarded comment ... and that goes for all the idiots who modded you insightful.

What they should have done, is created BSDSSL and dropped all the retarded SSLeay and other silly licensing crap that goes with OpenSSL.

And for the record, its unlikely that it won't work out of the box on *BSD, which have a pretty consistent API across all of them.

But hey, you're right, they should totally fix your problems for free because you said so and you weren't willing to do it yourself. Selfish fuck.

Re:Or..

You're right. It's not about a better OpenSSL. It's about OpenBSD taking security seriously and realising that unless they fork and do a massive cleanup then they'll not have a trustworty SSL implementation in their OS.

Why is it their job to make sure it works on Linux and other OS? Anyone can take this code and do as they please.

Do you think the OpenSSL project would accept the hundreds of changes that's been made for the past two weeks? In a timely manner? No. Fork and avoid the bureaucracy.

Re:Or..

[bluefoxlucid]

The source code is available. Is the labor available?

My point is that it costs less in labor to rewrite OpenSSL cleaned-up but OpenBSD only without consideration for other OSes than it does to rewrite OpenSSL with no such consideration. Then, when you go back and fix the now-broken OpenSSL rewrite (LibreSSL), you add more than the difference in that labor: it requires more overall effort to do this one-and-a-half times than to do it right once.

So you have two options: Pay up and have the OpenBSD writers supply the additional half-effort to port LibreSSL back to everything; or pay up and supply your own labor as the additional half-effort to port LibreSSL's changes back into OpenSSL, after fixing the code up for full multi-OS support, with a diverging code base as you go along making tracking harder over time.

They're not giving everyone a rewritten OpenSSL; they're giving everyone the concept of a rewritten OpenSSL, which you can put into use on OpenBSD, or you can apply your own effort or apply money to OpenBSD to get written to work on Linux/FreeBSD/Windows.

Re:Or..

[aliquis]

But maybe the people behind OpenSSL want their format of the code, want their VMS stuff even if it had no use longer (if that's the case) and want their own malloc if they consider that faster.

By doing it this way they can format the code in a way they are comfortable with reading/using and do whatever they want without anyone else complaining or not accepting their changes.

I don't know whatever they remove usable features which just isn't used by/necessary in OpenBSD or not.

Likely limit their burden but still allow them to fix what they may not feel comfortable using as is.

Re:Or..

[aliquis]

And as for LibreSSL the choice would be simple had OpenSSL not already been called OpenSSL.

Just rename it OpenSSLeay or something and let the OpenBSD people use OpenSSL ;D

Re:Or..

[serviscope_minor]

Conflicting stances.

No, not really. The OpenBSD people are working on OpenBSD for free because they want to. If you complain because they're not working on your preferred thing for free, you come across as a huge dick---precisely what you were complaining about said developers for waving around.

The fact of the matter is they have two possible modes of operation:

Holy false dichotomy batman!

Contribute code back to OpenSSL

The code is out there for the OpenSSL devs to take if they want. In fact it's all in the form of versioned patches against the OpenSSL code base. If the OpenSSL devs don't want to take it, then there's going to be a fork. That's not the fault of OpenBSD. The chances are there will be a fork because the goals of OpenSSL and OpenBSD are divergent.

or create a project tied to OpenBSD that won't run elsewhere.

Or the third way of creating a portable library.

They've voiced openly that this new code will run on OpenBSD but not elsewhere,

Seems reasonable. Their goal is to make a secure, BSD licensed operating system. I can see why they'd not want to waste their precious, valuable free (and sometimes funded by OpenBSD donors) time working on things which aren't open BSD.

but that they'll fix it to run elsewhere if you give them money

Sounds reasonable to me. If you want a programmer to work on something for you that they don't already want to do themselves, then you pay them. Completely reasonable. I won't port my libraries to Windows or MacOS unless someone pays me because I don't like working on windows and don't own a Mac.

Or, you could apply your own effort to it.

Isn't OSS neat? You don't even have to pay them! If you do the work up to an acceptable level of quality, they'll even bless it and include it in the official release. What decent, stand-up people they are.

Fact of the matter is they're not being philanthropic;

Of course they are: they're providing a complete, free, secure operating system with many components that with little effort can be released elsewhere. For free, using their own time an effort. Just because they're not giving you exactly what you want doesn't make them not philanthropic.

Do you also complain donate money to a registered charity instead of you personally? Does that also make them not philanthropists?

they're dangling a carrot and telling you if you want it you can either pay them to bring it down to you or you can climb the mountain and come take it

So basically they're providing some great free carrots and you're objecting because they're not walking up to you and stuffing it in your mouth. And it's hardly a mountain.

They're putting in some effort to grow the carrot,

If by some you mean a far, far more more than it would take for you to dray yourself up there, then yes. It's their time to put in. They can do it how they like. Dictating to them how they shoudl spend their time without offering the slightest incentive makes you seem entitled.

but they've decided to plant their carrot field atop a mountain instead of using the fertile farm land at the base where the villagers can get to it.

You mean they've put it where they need it rather than where a bunch of useleless people who have never contributed a thing to them and do nothing but whine on the internet would find it most useful. Oh the huge manatee! The bastards. How could they!

Only the elite--the rich or the strong--can get the carrot,

Or the people who run OpenBSD. It's free and open source. It even comes precompiled. Go install it for free and enjoy the fruits of their labour. Or contribute $1. If everyone who whinged like you contributed a dollar, you'd have it by now.

If you count your self as not rich enough to contribute a dollar and not strong enough to install OpenBSD or hack some C code, then you really do have my depeest sympathy. Well a bi

Re:Or..

Ummmm is that sarcasm or willful stupidity? I ask because OpenSSH will run on other systems.

taken right from the OpenSSH website .... oh and yes I have had OpenSSH working on systems other than OpenBSD

OpenSSH is developed by two teams. One team does strictly OpenBSD-based development, aiming to produce code that is as clean, simple, and secure as possible. We believe that simplicity without the portability "goop" allows for better code quality control and easier review. The other team then takes the clean version and makes it portable (adding the "goop") to make it run on many operating systems -- the so-called -p releases, ie "OpenSSH 4.0p1".

Re:Or..

[serviscope_minor]

My point is that it costs less in labor to rewrite OpenSSL cleaned-up but OpenBSD only without consideration for other OSes than it does to rewrite OpenSSL with no such consideration. Then, when you go back and fix the now-broken OpenSSL rewrite (LibreSSL), you add more than the difference in that labor: it requires more overall effort to do this one-and-a-half times than to do it right once.

Well, the OpenBSD people disagree with you. You also forgot the auditing of the code that they're goig to be doing once it's fixed. Much easier on a clean codebase.

They're not giving everyone a rewritten OpenSSL; they're giving everyone the concept of a rewritten OpenSSL, which you can put into use on OpenBSD, or you can apply your own effort or apply money to OpenBSD to get written to work on Linux/FreeBSD/Windows.

So they're buiding something they need for themselves personally, but are generous to make it available to everyone should anyone else need it. And they'll even let you freely modify it if it doesn't fit your needs! Not only that but if your mods are of no benefit to them but cleanly written and useful to others, they'll even go out of their way to include them in their project. What nice people. I think they should be applauded for their philanthropy.

They do sound like awfully nice people to me.

It's really a shame that there are so many people on the internet who complain they they're not spending even more time and even more effort to give more away for free. But there you go: some people just have a sense of entitlement out of all proportion.

Re:Or..

Call the new one OpenTLS and remove any support for old insecure SSL variants at the same time...

Re:Or..

[bluefoxlucid]

Well, the OpenBSD people disagree with you. You also forgot the auditing of the code that they're goig to be doing once it's fixed. Much easier on a clean codebase.

That's part of the initial work. Once the code is re-ported and re-imported into the (diverging) OpenSSL base, it will require an additional audit. Things like Frama-C produce reports on impact analysis--you changed one line in one function and it affected 15% of your entire 2 million line code base.

Decades of research indicate that doing something not-quite-right the first time and then going back and redoing it requires more labor than doing it right the first time. We have an end state that we argue is good; and an intermediate state that moves away from that, with an alternate plan which moves directly toward the end state. The argument is that this other strategy reaches a given end state with less total work.

So they're buiding something they need for themselves personally, but are generous to make it available to everyone should anyone else need it. And they'll even let you freely modify it if it doesn't fit your needs! Not only that but if your mods are of no benefit to them but cleanly written and useful to others, they'll even go out of their way to include them in their project. What nice people. I think they should be applauded for their philanthropy.

They do sound like awfully nice people to me.

They're making a political move. To argue directly against your argument, I would have to argue for the closing of the OpenBSD project entirely. I have instead provided a counter-argument that they could, you know, contribute to the community at large instead of to their own ego.

This is a think-of-the-children move. "Look how bad these OpenSSL people are! We're going to do a bunch of work to make things better! But it won't be better for YOU! It's just really being done to mock OpenSSL and show you that we're awesome, because we have things YOU don't have! Oh, but you could do a bunch of extra work yourself to take OUR things back and improve YOUR things. We won't do that though, because we're selfish tantrum-babies! But, OUR thing is free, so you know. We're really awesome! And fuck you all who don't use our thing, we're not here to help you infidels! We should fly a plane into your house!"

Re:Or..

[bluefoxlucid]

Tell you what, how about you come over to my house at a time of my choosing (I'm a busy man) and at your own expense (I don't see why I should have to pay you for travel if I'm not going to pay you for the work) and dig my garden for me for free and exactly how I like (it has to be just-so or it doesn't count).

Actually, in my community, I had a burned down house that was there for 14 years torn down. I've been recommended to put a fence around it so people don't walk through, but that would be ugly. Instead I've bought the lot, and planted fruit trees and lavender bushes, added a bee hive. So rather than a fenced-off ugly lot with a private park, I have applied similar (nearly identical) effort and gained a huge improvement for the community. Of course, trash does blow through occasionally and I have to rake it up out of the yard; that's almost exactly the same amount of work as anyway, what with twigs and leaves and lawn clippings from my normal tasks.

I could have, at nearly the same cost, placed a border fence instead, and then sold the house off to someone else. Then, if they were so inclined as to de-uglify the community, they could invest the added cost and effort to tear down and dispose of the fence, and then plan out and plant border plants (in my case, lavender) to make it nicer. When combining the expense and effort I put in with this added effort, we get significantly higher cost and effort than if I just go with this plan outright.

Similarly to the "doing it wrong the first time" pattern, my kitchen was built with a wide opening. I came in, cut down a wall, built across a half-height wall, moved a counter, and now my kitchen has 30% more floor space, 150% more cabinet space, 150% more appliance space. To do this initially would have taken an extra 90 minutes and $378; for me to do it as-is took 14 days of working time and an additional $1200, not including removal costs of excess materials from demolition.

So you see, this sort of "do it and do it over again" working behavior makes the community poorer. Rather than investing a few extra hours of time in multi-thousand-hour projects, we save 10-15 hours across years and create an additional several hundred hours of review and merging into diverging code bases, along with the increased risk in bugs as the code bases diverge and get features mutually migrated across, requiring additional labor for further review.

But we do get to tell people we're not doing a giant ego wank, and instead are doing what's best for the community.

Re:Or..

[Just+Some+Guy]

But their "JUST an OpenBSD implementation"s seem to be imminently portable to other platforms with minimal work. See OpenSSH as perhaps the shining example of this. If I were porting code to a new platform, I'd rather start with something from the OpenBSD guys than just about anyone else. That's why I donated to the project this morning.

Re:Or..

[ChunderDownunder]

Once the code is re-ported and re-imported into the (diverging) OpenSSL base, it will require an additional audit.

This is a permanent fork akin to KHTML -> Webkit.

There is Buckley's chance OpenSSL will survive in any relevant fashion in its original form.

Re:Or..

[ChunderDownunder]

sarcasm, hold your fire.

Parent is saying Theo and team are worthy stewards of ssh and will again be so regarding ssl.

Re:Or..

[serviscope_minor]

That's part of the initial work.

I'd say that's a good fraction if it.

Once the code is re-ported and re-imported into the (diverging) OpenSSL base

Who says they're going to do that? Much more likely that LibreSSL will be an API compatible alternative. They're only going to re-integrate if LibreSSL clean up which essentially means removing a huge amount of dead code. Which is what the OBSD people are doing.

it will require an additional audit.

Good job they're not doing it then.

Things like Frama-C produce reports on impact analysis--you changed one line in one function and it affected 15% of your entire 2 million line code base.

That sounds like poor design. The OBSD people are world class experts at producing secure, audited OS level C code.

Decades of research indicate that doing something not-quite-right the first time and then going back and redoing it requires more labor than doing it right the first time.

Who says what they're doing is wrong? They're making it for OpenBSD, but OpenBSD is not a whacky system. Besides it's much easier to make sane changes against a small, well written codebase than it is to make small changes against a hairy hoary mess.

The argument is that this other strategy reaches a given end state with less total work.

Actually, no your argument was that the OBSD developers were penis waving. Ignoring that for the moment, they're trying to get down to a small audited core. This means ripping out everything that harms that goal leaving behind a small, well organised core.

Perhaps it is better to make the core more portable than go for OBSD only then see what breaks when it's being ported. There are basically a few options here: try to fix the old codebase without breaking portability (very hard), make it sane first (what they're doing now) and make it sane without sacrafiacing portability.

The middle option is the least work, and this happens to be what they're doing. It's also the only option which aligns with their goals---not only is OBSD of personal interest to these people, but it would be deeply unethical of them to use OpenBSD funding to work on other operating systems.

However they're not being dicks about it and they're not going to make life hard for you if you want a portable version: they'll even integrate it right now if you have the changes.

They're making a political move. To argue directly against your argument, I would have to argue for the closing of the OpenBSD project entirely.

So basically, you think that Theo de Raadt, who has put a vast amount of his own time and effort into this should just stop because you say so? Are you for real?

I have instead provided a counter-argument that they could, you know, contribute to the community at large instead of to their own ego.

They provide one of the most secure OSs ever made completely for free for anyone who wants. How is this not contributing to the community? They also provide OpenSSH(d), the most widely set of ssh tools in the world. Again how is this not contributing to the community? Finally off their own backs they're doing a complete stripdown and audit of the most popular SSL library free for anyone to use. Not only that, they'll even keep it up to date. How the fuck is that not contributing to the community?

But no, you're suggesting that Theo and crew should just give up and contribute *DIRECTLY* to you. I doubt de Raadt even owns a Windows or Linux machine. Why and how do you think he would do portability to those systems?

Your sense of entitlement is *incredible*. Truly, I've been flaming on the internet for years and yet you are possibly the most entitles person I've met.

This is a think-of-the-children move. "Look how bad these OpenSSL people are! We're going to do a bunch of work to make things better

Yay! That's fantastic news! They're ripping out ancient and hideous VMS compatibility code and other e

Re:Or..

[serviscope_minor]

Actually, in my community...

So? I don't live in your comminuty. I live elsewhere so what you did there is useless to me. So, come over to my place and fix it up. No, I *DEMAND* you do, or I shall say mean things about you on the internet. In fact I shall say exactly the same silly things about you being a selfish bastard and how fuck me and basically all the same silly things you're saying about the OBSD developers.

Basically you're whining about how they're not (metaphorically) flying 5000 miles to fix up a house in your community and in your defense you're saying you are a good person because you fixed one in your community so it doesn't matter that you didn't fly 5000 miles to fix mine.

So either come and fix my house or stop complaining that the OpenBSD people aren't fixing yours.

Similarly to the "doing it wrong the first time" pattern, my kitchen was built with a wide opening.

Your analogy is poor. I better analogy would be ripping out the kitchen completely and then fixing all the rotten beams underneath it, then doing a complete structural survey to make sure it's not going to callapse all of a sudden in the future. All that is expensive and hard no matter what.

That fact that they're putting in just enough support material to get it running in one place (or if you like, tacking a few power sockets and basic plumbing) is not going to prevent yourself from building a lovely completely flawed analogy on top of this.

But we do get to tell people we're not doing a giant ego wank, and instead are doing what's best for the community.

Just like you with your dubious story at the beginning about you you improved your local community, the OpenBSD people are doing exactly the same with their local community. And you're whining because they're not putting in even more time to fix yours as well.

So, the offer stands: if you come and do my garden for me for free at your own expense then I'll accept your point that the OpenBSD people should do more free work for you than they're already doing.

Re:Or..

[thoth]

I'd much rather see the OpenSSL project itself get cleaned up

That would be ideal, and there's nothing stopping the OpenSSL project from doing that.

OpenBSD is a group that says - we are relying on this code that is totally busted, let's fix it - and they prioritized their OS first. I don't see a problem with that. OpenBSD is already making their work publicly available for free, they don't have the onus to actually provide bullet-proof solid code for every platform on the planet. Turns out other OS hackers need to roll up their sleeves too, and fork over some cash to support the effort.

Re:Or..

[Dancindan84]

That would be ideal, and there's nothing stopping the OpenSSL project from doing that.

Except for a lack of manpower and funding, which this fork is splintering even further. And the vague way that they say they're cleaning up OpenSSL when what they're doing is in fact forking it honestly strikes me as misleading. I don't mind that their out to make an OpenBSD specific fork of OpenSSL per se, just that if I'm going to fund something I'd rather fund getting it fixed for everyone.

Re:Or..

[bluefoxlucid]

Except that OpenBSD's code base won't be made to work on anything not-OpenBSD, and has been stated to break unless someone pays OpenBSD to not break it. So there will either be continuous chance of breakage unless people pay continuously, or there will be a fork of the fork--which will turn into people porting it back into OpenSSL.

The continuous chance of breakage isn't visible now: they said they'd make it OS-agnostic if people pay; they didn't say they would put continuous effort thereafter into keeping it that way, but they didn't say they wouldn't. They've hinted, thus, that they want cash rather than developer contributions; and that OS portability is not a goal of the project, but rather a thing done under a sort of social agreement which can be lubricated with something called "currency". These terms are worrying, as they hint that LibreSSL development may continue recklessly after being re-based as platform agnostic, and thus may again break by happenstance, and perhaps will not unbreak as this is not a goal of the OpenBSD developers writing LibreSSL, but it could be if you provide more currency.

So it's wasteful. It may be hostile.

Re:Or..

[bluefoxlucid]

Things like Frama-C produce reports on impact analysis--you changed one line in one function and it affected 15% of your entire 2 million line code base.

That sounds like poor design. The OBSD people are world class experts at producing secure, audited OS level C code.

Ah, I see you don't understand how programming works.

Let's say you have a function. And you call that function. It does one of two things: either it modifies an object passed to it, or it modifies global state (global variables, etc.)

When you modify an object, every function which does something with the part of the object which has been modified is affected. If you can show paths whereby changing this code changes the behavior of this other code, which has an impact on this other code, then you have spread impact. For example: if your modified function computes a boundary condition, modifying a line of code which controls how the boundary condition is computed has an impact on every function which uses that boundary condition.

So when you modify, say, a certain data packet handler that produces a certain object, then every function that handles that object is impacted. You modify one line, and 50 functions are impacted. The data that they see could be different, as it's computed in a different way--a more efficient way that's identical, perhaps (unit tests can show this); or a different way which fixes a bug, changing the data set in some conditions, which impacts what data those other functions will get in practice.

That means merging code between divergent code bases has far-reaching implications.

That or install OpenBSD. And I can assure you it would be less work for you to port it than the strip down and audit in the first place.

There is a 100% chance that the work required to fix OpenSSL as-is and keep it portable between OSes is substantially less than the work required to first fix OpenSSL with reckless abandon and make it non-portable, then go back through and pick it apart and work out how to make it portable again.

That means this is a waste of development effort. It should be done correctly the first time, not done wrongly the first time by a bunch of whiny babies throwing a tantrum.

Basically yes. They're giving awesome stuff away for free. If you don't like it you can simply pretend it doesn't exist and you've lost nothing.

Right. The OpenBSD developers are worth nothing.

Re:Or..

[BitZtream]

No. The OpenBSD team will make it OS agnostic and it will work on OpenBSD, making it OS agnostic doesn't mean they'll port it to other OSes, they do it for themselves. Its pretty fucking retarded that you think they should do it for you for nothing.

Re:Or..

[bluefoxlucid]

Like Internet Explorer is OS agnostic, it's just not ported to other OSes.

Anyway it's irrelevant. In 5 weeks no one will even remember LibreSSL was a thing.

Re:Or..

[serviscope_minor]

Let's say you have a function. And you call that function. It does one of two things: either it modifies an object passed to it, or it modifies global state (global variables, etc.)

one of 3 things. It can also compute something based on the data passed to it and not modify the data passed. That's functional style, and is generally considered good practive. The fact that you made such an elementary error after saying:

Ah, I see you don't understand how programming works.

amuses me.

That means merging code between divergent code bases has far-reaching implications.

who says they're merging back? If they are then your whining is for nothing since it will be merged back. If not then your point is moot.

There is a 100% chance that the work required to fix OpenSSL as-is and keep it portable between OSes is substantially less than the work required to first fix OpenSSL with reckless abandon and make it non-portable, then go back through and pick it apart and work out how to make it portable again.

You make this assertion, so prove it. The open BSD people are good programmers so they likely do not scatter OS dependenies throughout the code, but keep them cleanly at boundaries.

That means

No, because your assumption is faulty, your conculsions are unsupported.

The OpenBSD developers are worth nothing.

says the man who never uses SSH and never used a machine administered by ssh.

Re:Or..

[serviscope_minor]

I'm arguing that they're (metaphorically) a part of a community, and that they're doing substantial work, but they're doing the work in such a way that the community which they are a part of will need to do substantial additional work to benefit from it. If they were to do the work slightly differently, they would not do substantially more work, and yet the whole community would face great benefit.

No, you're full os shit basically. They're doing a huge amount of work. They're going to write portale code because they are good programmers but not going to to the porting---just like openssh. They write good solid portable code, other people port it, everyone wins.

It's basic economics.

It's funny hoy you cite "eonomics" as your argument for why people should give you free stuff. Here's a clue: pay them and they'll do it.

Re:Or..

[serviscope_minor]

Like Internet Explorer is OS agnostic

Da fuq?

Do you like making up lies to support your point, or do you actually believe the drek you're posting?

Anyway it's irrelevant. In 5 weeks no one will even remember LibreSSL was a thing.

No, your point will be irrelevant because someone will port it and LibreSSL will start replacing OpenSSL.

Re:Or..

[bluefoxlucid]

one of 3 things. It can also compute something based on the data passed to it and not modify the data passed. That's functional style, and is generally considered good practive.

And then you don't store that data anywhere, so that function doesn't impact any of the other code anywhere, because it doesn't impact any value that's passed on through the program, right?

Re:Or..

[bluefoxlucid]

who says they're merging back? If they are then your whining is for nothing since it will be merged back. If not then your point is moot.

The libav people go to the ffmpeg repos, get code, and merge it into ffmpeg. Same with vice versa. Do you think only OpenBSD LibreSSL developers could merge code back to OpenSSL? Probably someone else is going to pull the code from LibreSSL and merge it; otherwise wouldn't OpenBSD LibreSSL developers just be OpenSSL developers?

Apparently you don't understand how programming works as a group process either, or how community dynamics in open source software work, or something. Somewhere you've failed to figure out how code gets from one place to another.

Re:Or..

[Dutch+Gun]

That would be ideal, and there's nothing stopping the OpenSSL project from doing that.

Except for a lack of manpower and funding, which this fork is splintering even further. And the vague way that they say they're cleaning up OpenSSL when what they're doing is in fact forking it honestly strikes me as misleading. I don't mind that their out to make an OpenBSD specific fork of OpenSSL per se, just that if I'm going to fund something I'd rather fund getting it fixed for everyone.

Unfortunately, the OpenSSL team has demonstrated that they're unable to properly maintain a large codebase. Lack of funding does not turn your coding into a nightmare. That comes from a lack of leadership and coding discipline. The OpenSSL team decided that it could no longer rely on them to turn that project around, and has made the only decision that really makes any sense for them, considering their position.

The big question for me is how serious they are about supporting / developing proper compatibility layers. I was concerned when I hear about them ripping out compatibility code, but in thinking about it, I'd probably take the same approach. First start with your own native platform and write straight C / posix as much as possible, and then add a proper compatibility layer (meaning NOT just a bunch of platform #ifdefs scattered around the code) later.

We'll see how it shakes out, but I wish them luck in their endeavors. It will be interesting to see what comes of this. In the meantime, however, we should keep in mind that a lot of people still rely on OpenSSL, and will continue to do so until there is a viable alternative. Maybe this will motivate the OpenSSL team to clean up their own act in an attempt to avoid becoming irrelevant. Competition is, I think, a good thing, even among FOSS software project.

Re:Or..

[Desler]

Were any of the OpenBSD people previously OpenSSL contributors? If not there is no splintering at all it's simply another group of people taking the reins.

Re:Or..

[St.Creed]

Spouting logical fallacies really don't help your argument. Noone said there was a causal relationship between being available on one OS and being portable. In fact, GP claims exactly the opposite.

Re:Or..

[serviscope_minor]

hehe

you don't know about functional programming, pure functions and immutability and you want us to take your word for anything about maintaining a crypto library?

lolz are in order I think.

Re:Or..

[chriscappuccio]

The OpenBSD version of this library should work on any modern unix system with minimal to no change at all. The code being removed affects VMS, Windows, OS/2, and other systems. Even modern versions of Windows should require less hacks to work properly these days. The HUGE amount of workarounds, abstractions and obfuscations to support these ancient/useless systems are nothing but a hindrance to bug-free TLS support.

Re:Or..

[chriscappuccio]

Their format of the code is horribly broken and hard to read. Who really fucking cares what they want?

Re:Or..

[viperidaenz]

How about if you want to fork OpenSSL, you do it.

If OpenBSD want to fork OpenSSL, let them and stop bitching about it.

Re:Or..

[serviscope_minor]

As I've explained, it takes some units of labor

No, as you've asserted repeatedly without the slightest shred of evidence.

Think about if you paid $10,000 for a car, t

Blah balh, but you're not paying, you're asking them to work for you for free. Ain't gonna happen, leech.

Re:Or..

[gatkinso]

All together now, say it with me... "shim."

There! That wasn't as hard as we thought!

Re:Or..

[the_B0fh]

And? If you want it for your pet OS, you can write your own. Or you can pay someone to port something to your pet OS. And if you want to pay someone, go ahead. Nobody owes you anything.

Re:Or..

[the_B0fh]

He already stated that he has issues with Theo. That would explain his warped view of things.

Re:Or..

[the_B0fh]

Are you fucking retarded? The OpenBLD team can always contribute fixes to the version that OpenSSL maintains.

How? Did you see the number of changes and fixes already made? The OpenSSL team already said they can't handle it.

But hey, you're right, they should totally create a vendor-locked version of an extremely critical core Internet security technology and then tell people that they can either pay up or do the work to vender-unlock their non-portable code themselves. Selfish fucks.

"Hey, your shit stinks. If you can't fix it, I'll need to clean it up for my own use" and they're selfish fucks? You have a fucked up view of the world. Nobody owes you a damned thing. You are welcome to use OpenBSD if you want a safe secure version of ssl. If you don't, then don't. If you don't want to use OpenBSD, then go and pay someone to do it, or do it yourself.

Let me repeat that - nobody owes you a damned thing. This is a labor of love. They do not love what you love. They do not have to love what you love.

You are the fucking selfish fuck.

Re:Or..

[hobarrera]

I'd much rather see the OpenSSL project itself get cleaned up

That would be ideal, and there's nothing stopping the OpenSSL project from doing that.

There is something stopping them - that they're clearly incompetent and can't write secure (or even decent) code.

Re:Or..

[hobarrera]

They targeted their OS first. Everybody does that. Do you target ALL platforms when you write software, or so you target your own first, and when it works, test on others?

Re:Or..

[bluefoxlucid]

You're missing a large point here: function 'int getBoundaryLength(myObject *p)' returns back a piece of information about boundary length. A lot of things use boundary length, and boundary length is stored in a variable 'L = getBoundaryLength(p)' which gets passed around and assigned to things in objects (structures, classes) and subsequently used by other functions such as 'int copyBuffer(char *d, char *s)'.

Modifying how getBoundaryLength() produces its return value has an impact on all of this code. Buffers allocated on that length passed to other functions may be too short; copy operations may be too long. These are things you must verify. So a one-line modification to a function can have huge, sweeping impact across your program.

You can pretend you know more about programming because you think you've invented a way for modifications to one function to have no impact on any other part of the code; but if you ever achieve that goal, gcc has a "dead code eliminator" which removes your entire function, unless it's exported and thus gcc can't verify that nothing else calls it to useful effect.

Re:Or..

[bluefoxlucid]

Did... did you just argue that work doesn't take any units of labor? That there's not a shred of evidence that you need to actually do something to produce output?

You just argued that the world is magic and things rise out of the ether.

Re:Or..

[bluefoxlucid]

I target all platforms and avoid using any OS-specific facilities outside of #ifdef blocks, unless I'm writing something specifically for an OS that requires a particular facility (I.e. to enhance the OS, say like udev). Often I leave this to the people who wrote whatever Python modules I'm using these days.

Re:Or..

[serviscope_minor]

Did... did you just argue that work doesn't take any units of labor?

No, but you're apparently too dim to either remember your own arguments or comprehend mine. I'm arguing that you have no shred of evidence that the stripdown, audit, then port is more work than trying to clean the current code base other ways.

You keep claiming this but have no evidence.

You just argued that the world is magic and things rise out of the ether.

Like you? You're the one who keeps arguing that the OpenBSD people should do stuff for free because it would be better for you if they did. All I can say to that is no shit, sherlock, but it ain't gonna happen!

Re:Or..

[bluefoxlucid]

Oh I see. You're trying to ask for evidence that the sky is blue. Got it.

(It is considerably well-known that doing things to achieve the final goal in the first pass is vastly more efficient than doing things haphazardly with disregard to part of an end goal, then going back and adding the remaining requirements and redoing the work to fit with them. This is the basis for some archaic and probably outdated behavior commonly known as "planning".)

Re:Or..

[hobarrera]

That's easy to say for python and other high-level languages, but a lot harder for something in C. Especially due to a popularity of non-POSIX OSs out there.

Also, even if you do what you say, you still target and test your own platform first, and only start making sure it works on others once you have it working. Or do you test your code on all your target platforms from day 0?

Re:Or..

[bluefoxlucid]

Hint: Python doesn't have #ifdef blocks.

You do understand that POSIX and standard C libraries are essentially universal, and that OS-specific facilities are less-universal, right? POSIX compatibility gets me all BSD, AIX, System V, HPUX, Solaris, and OSX platforms; but I usually validate anything non-trivial against what's sane for Windows, if Windows is an eventual target. For something like a system allocator, Windows may not be a target: you can't really replace the system allocator anyway, whereas your allocator could get adopted by various libc implementations. For something like a MIDI sequencer, the choice of wxWidgets and portable middle-layer libraries or the cautious use of gtk+ facilities portable across all systems is usually a consideration.

From Day 0, I consider anything I do in my code against what my target platforms will be, and what facilities they are likely to not share. For example: All Unix systems are likely to share malloc() and mmap(). They're unlikely to share inotify or kevent facilities specific to Linux, which one should implement with caution. Likewise, relying on specialized system behavior is a big problem: a lot of people relied on the size of ints and longs, whereas I've always used uint32_t or int64_t or whatnot when the size had some real importance (i.e. in OpenSSL, that TLS heartbeat is a 16-bit value; you'd better not use 'unsigned short int' to refer to it, but rather 'uint16_t' from C99).

I learned C after I learned assembly. It seems unnatural to not consider the full impact of your programming code.

Re:Or..

[serviscope_minor]

(It is considerably well-known that doing things to achieve the final goal in the first pass is vastly more efficient than doing things haphazardly with disregard to part of an end goal, then going back and adding the remaining requirements and redoing the work to fit with them. This is the basis for some archaic and probably outdated behavior commonly known as "planning".)

First no. The old code base is such a mess that working with it is hard. This kind of thing can only be evaluated on a case by case basis.

Secondly the OpenBSD developers are good enough and smart enough to keep the OS speific stuff in a nice thin layer which makes porting easy. They will write easy to port code but not actually do the porting themselves.

Re:Or..

[serviscope_minor]

Modifying how getBoundaryLength() produces its return value has an impact on all of this code. Buffers allocated on that length passed to other functions may be too short; copy operations may be too long. These are things you must verify. So a one-line modification to a function can have huge, sweeping impact across your program.

Good god if you're doing it like that no wonder you think the effort is doomed.

If you make sure every function maintains its invatiants ad postconditions then given valid input data, you can be sure the output is always valid. There are ways of construting code so that it's easy to make sure the preconditions are always maintained. The audit will make sure that these easy methods are used throughout. Things like strlcat for example always guarantees null termination.

Then there are many ways of modifying the code such that you don't have to check everything.

In the most extreme case you an prove the code correct. Once proven correct a function cna never mysteriously become incorrect. It doesn't matter what it does, it will always be correct.

A lot of modern software design is about decoupling things so that you don't have to laboriously check the entire code base every time you make a small change.

Re:Or..

[rubycodez]

you seem to be ignorant of fact openssl didn't want to take the fixes or to be instructed on how to properly implement code. this was done out of frustration the openssl's teams lack of willingness to do things correctly or be corrected

Re:Or..

[rubycodez]

like the OpenBSD's team's openssh isn't ported to other OS? like every single commit of the fixes their are making on openssl aren't on globally public web servers? oh wait, they are... you must be totally full of shit

Re:Or..

[hobarrera]

All those points those considerations you say you take are being taken by the OpenBSD team. But they still haven't released ports for other OSs, because they target their own first. Much like what you describe you would do.

Of couse that the code they have right now may work on other OSs. But they've made no official release since they haven't targeted them yet.

Re:Or..

[bluefoxlucid]

This kind of thing can only be evaluated on a case by case basis.

In the same way that 6,880 pound kerb weight gasoline V8 pickup trucks with 400HP engines getting worse MPG than 3,220 pound kerb weight V6 passenger vehicles with 220HP can only be evaluated on a case-by-case basis.

I'm sorry but I'm going by scientific basis here, by known principles that have been put into practice, re-examined, and attacked repeatedly by method (agile project management is one such method to attempt to make repeating work less of a problem; it does reduce the problem and reduce risk compared to waterfall for projects which have high risk, but it still doesn't make parity). It simply takes less effort to consolidate multiple tasks into single tasks, for example the task of understanding a code base (as you write it) and ensuring cross-platform portability requires two passes: if you implement portability later, you have to re-examine the code base, find non-portable code, then re-envision how you want to write this code so that it meets requirements both old and new. That same work is done the first time you write it, just with different constraints and more mass output; doing it this way the first time eliminates the difference.

I guess you like to drive to the super market and spend 2 hours shopping for detergent, eggs, bread, yogurt, flour, pasta, sauces, cheese, and produce; and then drive home and go out for another 15 minutes to the corner store to get milk. Me, I'll take the 30 second diversion to grab the milk while I'm grabbing the yogurt at the super market.

Re:Or..

[bluefoxlucid]

You just don't get it. You're assuming that a function is perfect, that its code is provably correct. Well, we were originally talking about integrating new, not-broken, correct code into a code body which is incorrect, so that assumption is immediately useless here. Further, if your code is correct and perfect, why would you come back to modify it?

We're coming in to clean up bugs. Now we're taking code and integrating it from one changing code base into another changing code base. The new code may work properly, while the old has corner cases that break synergistically: some body of code may work properly only in the presence of a defect in some other body of code. Microsoft Windows' source code was published a decade or so ago, and it was rife with this--hacks on top of hacks.

Do you honestly think that this can be done by just "checking the function for correctness"? You've integrated some correct code from another codebase which now makes this part of your code correct. Unfortunately some other part of your code now fails and, in the most extreme cases, we've created a new exploitable condition!

So now you have to go back and assess impact. By changing this function, you change a lot of other code. That code has the same logic, but different data coming to it--it's the same cog shoved into a different machine. You can do analysis to see if your new function does anything different than the old function, if the conditions its output precipitates on can now produce different output. If you can't prove that it doesn't produce different output in some situations, then you must now assume that your program changes may have wide impact. This includes if your output may be between 1 and 255, and it is, but it may return 47 instead of 42.

You can reduce the probabilities, but you cannot eliminate the risk. OpenSSL merging LibreSSL code without doing impact analysis and making sure the new code doesn't open new vulnerabilities will incur risk. Hell, LibreSSL will face the risk of creating new vulnerabilities as it goes, so you may eliminate 100 problems and cause 1 and that's okay because you are 99 problems better. The risk OpenSSL faces is greater, because they may import defective code from LibreSSL, or they may import code that works but which is no longer broken in such a way as required by other (still broken) code present in OpenSSL but no longer in LibreSSL.

Re:Or..

[bluefoxlucid]

OpenBSD didn't outright state that they're going to port OpenSSL to other OSes when they get some money. They did outright state that they're not going to make LibreSSL portable until they get some money. But thanks for showing the fallacy of equivocation.

Re:Or..

[serviscope_minor]

I guess you like to drive to the super market and spend 2 hours shopping for detergent, eggs, bread, yogurt, flour, pasta, sauces, cheese, and produce; and then drive home and go out for another 15 minutes to the corner store to get milk. Me, I'll take the 30 second diversion to grab the milk while I'm grabbing the yogurt at the super market.

Well to use your thoroughly butchered analogy, it's like the corner store being a couple of doors down. It's no more effort to park at home then walk to the store than it is to park at the store, then get back in, move the car 20 yards and then park again.

Re:Or..

[serviscope_minor]

Your point holds if OpenSSL are going to merge the changes back. I don't think they will, since they haven't merged in some bugfix patches that have been outstanding for years.

The whole point is about porting. They're writing it OpenBSD only. Assuming they know (for instance) strlcpy is correct, then can audit the rest of the code for correctness. When they find a platform without strlcpy (hello Linux!) someone can plonk in a correct strlcpy implementation and hey presto the thing is still correct throughout.

Porting well designed code is not that hard. The differences are going to be on things like missing functions (strl*) and socket differences. Once you make sure those bits of interface code are correct and you know you've checked everything else for correctness, then you know that the combination is correct.

Just because you've changed the socket code, and that might change the data doesn't mean you have to check everything else in the codebase that uses the data. Once you're sure your socket code is meeting the exprected preconditions that everything else expects then everything else will remain correct.

Re:Graphic design geniuses too

[marcello_dl]

They never claimed they were.

Re:Graphic design geniuses too

There's something at the bottom of the page.

"This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags"

Re:Graphic design geniuses too

[QilessQi]

This. Seriously. People may not think that appearance is important, but it is. Comic Sans does not inspire confidence.

Good Guy Theo

[nimbius]

finds out openssl is bollocks,
radically refactors and overhauls millions of lines of code.

as for the LibreSSL team, might i suggest some music?
http://www.openbsd.org/lyrics....
http://www.openbsd.org/lyrics....

Re:Good Guy Theo

[gweihir]

They already have music under the "OpenSSL" link on the LibreSSL webpage. Seems they are ahead of you ;-)

Re:Graphic design geniuses too

[Threni]

Who thinks it's important? Who'll decide to switch or not based on a font on a website? Why?

Re:Graphic design geniuses too

[benjfowler]

I'd say it's puerile -- and a bit alarming, considering these people are building something so important to the continued health of the internet.

Re:Can they do OpenSSH too?

They DO OpenSSH. And other projects: http://www.openbsdfoundation.org/

Please don't

[duke_cheetah2003]

Don't fork SSL, we need to keep one standard, I'd think. This is a bad idea. These resources could be used to improve OpenSSL directly.

Re:Please don't

[Kardos]

It's not a bad idea. OpenSSL has become unwieldy, which has been known for quite some time. A major refactoring is long overdue. Does it matter if the project changes name? OpenSSL 2.0 or LibreSSL - what's the difference? The OpenSSL guys don't have the resources/time/funding/whatever to do it, and the OpenBSD guys apparently do.

> Even after all those changes, the codebase is still API compatible.

It's going to be a drop in replacement for OpenSSL. Same idea as the MariaDB fork of MySQL. Where is the "bad idea" here?

Re:Please don't

Where is the "bad idea" here?

A fork is alien to the OSS concept. If you are not happy with direction and quality of current maintainer and code, and think you can do better, you shouldn't just fork it and do it. Who have ever asked you to do that with OSS?? You should work with the provider and hope that helps.

Re:Please don't

[jeffmeden]

OpenSSL 2.0 or LibreSSL - what's the difference? The OpenSSL guys don't have the resources/time/funding/whatever to do it, and the OpenBSD guys apparently do.

Rather, they apparently don't (hence the donations plea). What they do have time for is forking OpenSSL, cutting out the stuff they don't care about, and slapping each other on the back for giving OpenSSL a good poke in the eye.

Re:Please don't

[serviscope_minor]

Don't fork SSL

They're not.

we need to keep one standard

They are.

This is a bad idea.

It's not because your assumptions bove are faulty.

These resources could be used to improve OpenSSL directly.

That's exactly what they are doing. But they're forking OpenSSL because they want to do it their way.

Re:Please don't

[upuv]

SSL is the standard.
OpenSSL is an implementation
LibreSSL is an implementation

The standard isn't forked.

In this instance the standard mostly applies to the protocol. The on system interfaces will most likely mutate rather quickly. Most specifically at the user interaction level. The library interfaces will most likely remain steady.

This isn't a bad thing.

SSL and it's related crypto cousins is all about trust, but paradoxically Crypto people don't trust crypto people so there is very little trust out there. So really powerful things like personal / corporate certificate authorities just don't exist in practice. Imagine the power of a CA for personal certs. It would change authentication forever. Good bye 300 passwords. But since no two people can build two independent systems that truly trust each other there really is no hope for personal certificate authorities. Maybe this reboot of an SSL implementation can move us one step closer. Or even an inch/2.2cm.

Re:Please don't

[geminidomino]

What? Forking is a huge part of the OSS concept. "If you don't like the way the devs are going, STFU and change it yourself."

In *practice* it may not work that way very often (the biggest offenders in recent memory are massive projects that it's infeasible for a single or handful of developers to maintain. i.e. browsers, DEs, etc..), but you've got a pretty warped idea of OSS if you think it's "alien" to the concept.

Re:Please don't

[Sique]

I am not sure if this is an attempt at being ironic.

Re:Please don't

[serviscope_minor]

Rather, they apparently don't (hence the donations plea).

Seems unlikely they do. OpenBSD is a full time project. Also, wouldn't it be rather unethical to spend money donated to OpenBSD to work on non OpenBSD things. Besides whay makes you think these people even have Linux/Mac/Windows/iOS/wtfOS machines on which to do the porting?

What they do have time for is forking OpenSSL, cutting out the stuff they don't care about,

and then fixing up and auditing the code and providing a free, incredibly secure and open source operating system to everyone in the world, portable to something liek 20 pltforms. What bad people.

and slapping each other on the back for giving OpenSSL a good poke in the eye.

Basically you're a combination of paranoid and entitled. I think someone else described peolpe like you as shitheads. I'm inclined to agree. Tell you what: if you come over to my house and dig my garden for free, to my *exact* specification and travelling at your own expense (no, I won't provide you with lunch or even cups of tea and certainly not accomodation when it inevitably takes you more than a day), then I'll accept your argument that the OpenBSD people should be giving you even more free stuff than they already are.

Re:Please don't

[DaMattster]

OpenSSL needs a revamp. If the project won't do it, fork it!

Re:Please don't

[tiagosousa]

But then they couldn't use donations from LibreSSL to sponsor OpenBSD, which for them is the same project, even if 99% of the donors don't care about it, not to mention their basement DC.

Re:Please don't

[duke_cheetah2003]

Exactly. Does it matter if the project changes names? Why don't the people interested in 'fixing' OpenSSL just leave it named OpenSSL? Why change? Seems to me that forking OpenSSL to something new is giving the finger to those who developed SSL in the past, and saying 'we're not going to work with you.' It just seems very wasteful. Collaborate and fix it together, rather than splinter. Ever heard of divide and conquer? Why would open source community divide and conquer itself? Seems counter-productive.

Open to ripping out compatibility?

Granted, the OBSD team has a known personality.

That said, diffs to remove compatibility would likely be rejected. Also, the rate at which they're being submitted wouldn't be verifiable by the OpenSSL team.

Plus, it's better to have multiple libraries.

This is for the better.

Re:Open to ripping out compatibility?

[cant_get_a_good_nick]

Plus, it's better to have multiple libraries.

This is not a universal good. There is a cost to:

* Choice. Now I need to figure out which is better. This is why Amazon has reviews - choice makes things difficult.

* Diffusion of resources. Part of the reason OpenSSL was so bad was that this team had no money and no resources.

There are a lot of projects out there, forks for spite, forks for license religion, that are a waste of time and resources. "Oh ____ has a free software license, but it has slightly different focuses of types of freedom, therefore it's heresy. Hey, here's GNU____. We know you'll ignore the bugs/missing features, because FREEDOM"

Re:Graphic design geniuses too

[Missing.Matter]

Typefaces by their nature are designed to convey a specific emotions. It's the whole reason we don't simply convey written information in one fixed typeface; some are more appropriate than others given the situation.

Comic Sans in particular is designed to imitate comic book lettering. It's not particularly professional. In the wake of the OpenSSL bug, many people were questioning open source in general, saying (not rightfully, but saying nonetheless) that the Heartbleed bug was caused by a bunch of amateur volunteers. i.e. open source is not developed by professionals. Comic Sans doesn't exactly inspire confidence for people who now view the open source development model as dubious.

Re:Graphic design geniuses too

[serviscope_minor]

Comic Sans doesn't exactly inspire confidence for people who now view the open source development model as dubious.

Maybe in 2000, I would have cared but no longer. OSS is very well established and is in plenty of cases the leading option. If people want to make stupid emotional decisions, then it's time to let them. No actually, it's time to encourage them because it means I will have fewer serious competitors of the competition hamstring themselves with ill-informed emotional decisions.

Re:Awesome!

[BreakBad]

Maybe not as pell-mell as it is opportunistic.

Get it FIPS certified

[sinij]

The key reason OpenSSL is so popular in US is because the project is on top of FIPS certifications. LibreSSL might cure cancer, but very few system integrators will use it unless it has certified module.

Re:Get it FIPS certified

[brunes69]

People are starting to think tha "FIPS Certified" means "has all required NSA backdoors installed".

Re:Get it FIPS certified

[sinij]

You might be proven right by the next Snowden report, but this still will not change the fact that to sell to the government you need to demonstrate your crypto is certified.

Another way of thinking about this - your liability is much higher when your badly broken crypto results in your customer database in the pastebin, than when your backdoored library results in your customer database somewhere in the NSA data vault.

Re:Get it FIPS certified

[BitZtream]

Wrong.

A specific version of the OpenSSL binaries a LONG time ago received a low level of FIPS 140 certification. That certification was for specific binaries built from a specific code base. The instant a single line of source was changed, the entire FIPS certification is null and void for the new version. Depending not he exact way it was certified it is entirely possible that even compiling the same source code from the version that was certified ... does not itself receive the certification.

NO ONE uses the FIPS certified module as it is broken in many known ways. Anyone who does use it are retarded since its well known to be susceptible to several attacks that make it horribly broken even though it received a low level FIPS certification.

Re:Get it FIPS certified

[BitZtream]

Having gone through the certification process myself, people that think that are stupid, paranoid idiots. The certification process is entirely based on finding and fixing known flaws in the encryption process, nothing I saw would indicate any kind of weakening.

Of course, its entirely possible that the NSA was aware that my code was insecure and just didn't request any changes to make it weaker, but the certification process certainly didn't make that apparent.

Re:Get it FIPS certified

[Error27]

If you read the article then you'll see that the OpenBSD explicitly rejects FIPS certification as a goal.

FIPS certification is why OpenSSL includes the NSA backdoor DUAL EC pseudo random number generator. The code doesn't work but it's still included and can't be fixed. Anything which leads to an outcome like this... Disgust. Disgust and revulsion.

Re:Get it FIPS certified

[Kardos]

If OpenBSD is successful in their goal of making a lean and mean LibreSSL, is there anything that stops someone else from getting it FIPS certified?

Clearly it would have to be re-done with each release, so presumably nobody would bother until LibreSSL is stable.

Re:Get it FIPS certified

[Lennie]

Do you know what FIPS certification does ?

They check the algoritms (read: math), not the implementation.

So nothing has really changed from that standpoint.

Will LibreSSL be FIPS certified ? Probably not.

Re:Get it FIPS certified

[Bob9113]

The key reason OpenSSL is so popular in US is because the project is on top of FIPS certifications. LibreSSL might cure cancer, but very few system integrators will use it unless it has certified module.

Sounds like a good idea. Perhaps the system integrators who want to have a FIPS certified version of SSL that is also secure should do the legwork on getting the certification done, while Theo and his team work on the code. Decentralized do-ocracy FTW.

Re:Get it FIPS certified

[greg1104]

That's why I avoid all this open-source hippie code and only use genuine RSA BSAFE.

Re:Get it FIPS certified

[greg1104]

That's not quite right either. The open-source releases of OpenSSL certainly do not ship with any implied FIPS certification. OpenSSL does offer FIPS validation for a specific build as part of their commercial support program. They say "Support for the FIPS Object Module, including assistance with building a validated module for a specific platform (if possible) is available with the Premium plan". It is not correct that these versions are exactly the same code as the ones first certified long ago.

There was an interesting post to the openssl annoucement mailing list about Flaws in Dual EC DRBG that sheds some more light on this area. It says: "The OpenSSL FIPS module is commonly used as the basis for rebranded proprietary validations (we call these 'private label' validations)", "FIPS 140-2 validations are expensive and difficult, taking on average a year to complete and we have to wait years between validations", and "Even if we wanted to fix it our options are severely constrained by the fact that the CMVP process forbids modifications of any kind (even to address severe vulnerabilities) without the substantial time and expense of formal retesting and review."

All this implies there absolutely are later versions of OpenSSL with FIPS certification out there. You just can't get one without significant input from the commercial end of the OpenSSL Foundation.

Re:Get it FIPS certified

[sconeu]

Have you ever participated in a FIPS certification?

They certainly do check the implementation.

Re:Get it FIPS certified

[chill]

The core encryption functions of an older version (0.9.8, I think) was spun off into a separate module and certified for FIPS. The certification process is that the code is provably correct and the implementation is flawless, which is why it takes so damn long. It is also why only the core crypto transforms are certified.

You CAN, and vendors DO update the wrapper module around the core functions and update things without having to go back under certification.

Case in point. The Red Hat version of FIPS-OpenSSL was susceptible to HeartBleed, even though the core FIPS module was based off of an older version that was produced before the code error was introduced! Why? Because the error wasn't in the core crypto but rather the wrapper, non-crypto code. The actual cryptographic transforms (AES, HMAC-SHA, etc.) functioned perfectly, but information was leaked by the non-crypto code.

LOTS of people -- like almost everyone in the U.S. Gov't or contractors that work on their systems -- use the FIPS certified module for OpenSSL. Or, at least, Red Hat's version of it.

Re:Get it FIPS certified

[BitZtream]

Cost. Thats about it. Certification for a very select bit of encryption, hashing and password generation code in my previous job was roughly $50k for the first round ... of which no one has ever succeeded at getting certified on first pass. You pretty much can't pay less than that, and every little bit of complexity you add drives the price up quickly.

Then, the certification is for THAT SPECIFIC code. Any changes to that module and its no longer certified. And by any changes I mean so much as adding a period to some text strings that are never used is enough to do it. ANY change. So you narrow down the module to be certified to the smallest amount of code possible.

Re:Get it FIPS certified

[gatkinso]

Actually, it is more about build tools, configuration control, and dependency management than anything mentioned above.

Re:Get it FIPS certified

[DaMattster]

The key reason OpenSSL is so popular in US is because the project is on top of FIPS certifications. LibreSSL might cure cancer, but very few system integrators will use it unless it has certified module.

I would rather it NOT be FIPS certified. I trust my government as much as I trust an 800 lb gorilla.

Re:Get it FIPS certified

[mpe]

Generally, these "agency certifications" are entirely pointless. They only prove you have followed the letters of some irrelevant process.

Whilst they can be technically useless they can be politcially vital.

Re:Get it FIPS certified

[hobarrera]

I highly doubt that the OpenBSD/LibreSSL people will invest in that. They care about doing secure software, not "lots of people using it", so, unless someone else pays the certification, it won't happen.
I'm amazed at how OpenSSL had so many issues, know inside the security community, but you still get FIPS certificaion if you use it. Clearly it's no more than a fancy stamp.

Re:Graphic design geniuses too

[jeffmeden]

In the wake of the OpenSSL bug, many people were questioning open source in general, saying (not rightfully, but saying nonetheless) that the Heartbleed bug was caused by a bunch of amateur volunteers. i.e. open source is not developed by professionals

Except you're right, it was caused by half-assing what was supposed to be a good feature, because the programmers decided they would just stop and come back to it later. But now we have *different* amateur volunteers working on it! Problem solved!

Re:Graphic design geniuses too

[jeffmeden]

Comic Sans doesn't exactly inspire confidence for people who now view the open source development model as dubious.

Maybe in 2000, I would have cared but no longer. OSS is very well established and is in plenty of cases the leading option. If people want to make stupid emotional decisions, then it's time to let them. No actually, it's time to encourage them because it means I will have fewer serious competitors of the competition hamstring themselves with ill-informed emotional decisions.

They're pleading for donations. Are you comfortable being the sole donor, too?

They should have start a naming contest ...

[Taco+Cowboy]

LibreSSL.... Please for the love of code, change the name!

I wish they would start a naming contest soon.

There ought to be _someone_ out there who can come up with some much better name than "LibreSSL" ...

Re:They should have start a naming contest ...

[Mitchell314]

gnuSSL? Although TLS should be supported, so maybe gnuTLS?

Re:They should have start a naming contest ...

[0100010001010011]

I doubt anything the OpenBSD group develops is going to be under the GNU licenses.

Re:They should have start a naming contest ...

[aix+tom]

How about VivaLaRevoluciónSSL. ;-P

Re:They should have start a naming contest ...

[Mitchell314]

Please don't make me explain the joke.

Re:Graphic design geniuses too

[jeffmeden]

I'd say it's puerile -- and a bit alarming, considering these people are building something so important to the continued health of the internet.

But it goes right along with the notion that they are not even considering helping the original OpenSSL project (one that they have benefited greatly from in the past) and instead simply forked it in order to do only work that benefits themselves. The "we will get around to multiplatform when the donations pour in" is about as pathetic as the "we will get around to fixing that vulnerability countermeasure code later" that caused Heartbleed in the first place. If Heartbleed didn't scare people away from Free/Open Source software, then this surely will. Mission accomplished, Theo!

Re:Graphic design geniuses too

They were kind enough to prepare their snark for you in advance.

At the moment we are too busy deleting and rewriting code to make a decent web page. No we don't want help making web pages, thank you.

Re:Libre is the new Open

SSSL - Secure SSL

LibreSystemd?

[Arker]

After stripping out all of the unnecessary bloat, you would be left with BSDinit. There really is no need to go through all that trouble since BSDinit is already available. Stable, robust, sane, and works great on Unix or Linux.

Re:Can they do OpenSSH too?

[gweihir]

The OpenSSH security track record is excellent, almost perfect.

Yup. Well, the "Statue of liberty" is French

[HaggiStan]

Quote from the Wiki article (*):

The Statue of Liberty (Liberty Enlightening the World; French: La Liberte eclairant le monde) is a colossal neoclassical sculpture on Liberty Island in the middle of New York Harbor, in Manhattan, New York City. The statue, designed by Frédéric Auguste Bartholdi and dedicated on October 28, 1886, was a gift to the United States from the people of France

(*): accents removed since slashdot seems unable to handle them

Re:Graphic design geniuses too

[gweihir]

You seem to have missed the line at the bottom...

The link to OpenSSL is funny too ;-)

s/open/libre/ ?

[fatp]

OpenOffice -> LibreOffice
OpenSSL -> LibreSSL

Will the next be
OpenSSH -> LibreSSH
OpenBSD -> LibreBSD
OpenStack -> LibreStack
... ?

Re:Graphic design geniuses too

[geminidomino]

Fait accompli, apparently. :D

Well played, Theo et al.

The same way we need to keep init standard?

[koinu]

A while ago... the common init startup procedures have been ignored by the Linux community and they developed their own Unix-incompatible way to start the system and even pollute many common applications with it so incompatibilties will be everywhere soon. And it keeps going on with KDBUS and so on..

Now when OpenBSD touches a central library it is ultimately bad for everyone, even when they don't destroy compatibility as much as it seems. Who uses VMS or pre-Windows-2000 systems today? Most of those people don't care about a new version of SSL anyway.

Re:The same way we need to keep init standard?

First, you are an idiot.

Secondly, SSL/TLS is not tied to OpenSSL.Rather, there exist quite a few implementations of a prose standard.

Thirdly, OpenSSL code was/is a hopeless pile of shit. This is not the first horrible issue. The faster we can get a clean alternative, the better it is.

Finally, Mr DeRaadt does the right thing and cleans out this Augias Stable. The fact that we have tons of morons who cannot think rationally in the IT world means little. Maybe lots of people shut simply shut up while Master Software Engineers like Mr DeRaadt take care of the important stuff.

Re:The same way we need to keep init standard?

[idontgno]

Theo, is that you?

The Imperial Third Person thing is certainly new and...interesting.

Anyways, thanks. I guess.

Ladies and Gentlemen, that was Theo De Raadt. Thanks for dropping by, Theo.

Re:What will be next: LibreSystemd?

[gweihir]

That one is easy: Just throw it away completely. Systemd is a major redesign of a major, critical Linux component.You would think that there is a very good, solid, compelling reason to do so. Apparently all they really have is "it boots faster". (And apparently id does not even do that in quite a few circumstances...)

My personal theory is that the NSA planned systemd as a project to sabotage Linux security (remember that Red Hat is primarily funded by the US military): Put an incompetent team with big egos in charge (Poettering and Sivers are certainly that), give them delusions of grandeur, make sure the BSD people ignore it by explicitly denying portability, and then just wait while the cretins produce a bloated, easy-to-exploit mess. (This "init-system" includes a freaking web-server! How stupid can you get?)

No need to place any backdoors, and all the countless vulnerabilities are genuine mistakes! Genius!

becase socialism is communism is real bad.

[Thud457]

I'm not gunna use no "liberal SSL", might as well just call it "socialist SSL" and get it over with.

They should call it "FREEDUMB:SSL" and make everybody happy.

Or at least "rePun SSL". Sorry, it's hard finding a use for that -ZL sound.

Re:Graphic design geniuses too

[benjfowler]

They just come over as a bunch of complete, smug, self-absorbed wankers.

*golf clap*

Re:Awesome!

[lemur3]

I look forward to new and interesting side-effects of the pell-mell rush to clean up the code of a poorly written, poorly maintained, and even more poorly documented software package!

more poorly documented than OpenSSL?

the OpenBSD team creates some of the best documentation out there.. it is one of their major accomplishments and clearly important to them.

if all they did were document it, openSSL would be better off for it.. they are forking it, improving the code and documenting it.

Of course, they arent gods, perhaps mistakes will be made.. but this team is known for producing high quality code and high quality documentation.. .. i think that you couldn't be any further from the mark with your flippant remark mr AC!

Re:Can they do OpenSSH too?

[gweihir]

Did you screw up the config? That will get you rooted...

Otherwise, please supply a CVE number for the vulnerability responsible.

Re:Can they do OpenSSH too?

[gweihir]

You did notice that "legacy" in the thing you quote? You can run OpenSSH with insecure settings or with protocol version 1.0. But if you use these you are supposed to look at the security trade-offs yourself. The thing is that it is not OpenSSH that is insecure here, it just allows you to shoot yourself in the foot after warning you.

Re:Graphic design geniuses too

[lemur3]

they are not even considering helping the original OpenSSL project (one that they have benefited greatly from in the past) and instead simply forked it in order to do only work that benefits themselves.

so youre suggesting that the maintainers of OpenSSL would have gladly allowed some new kids on the block come in and remove over 200,000 lines of stuff ? and that the new kids on the block are being lame for not trying to do so?

I think this move kind of strikes to the heart of the benefits of opensource projects. When someone decides they want to go in a different direction, they can. This direction is clearly (judging by the nearly 100,000 lines of code removed) different than the one the OpenSSL team is on..

The openbsd team supports over 20 platforms already. Deciding on on not supporting libressl on those 20 platforms before theyre even finished with the main bulk of the work seems pretty reasonable to me... and of course, it will be opensource.. you can go support other platforms if you want!

if you've got an axe to grind against Theo, and the openbsd team thats fine..... but at least you can be reasonable about this.. there is no evidence that the openbsd team has the same mentality as those in the openssl team had when it comes to making secure and correct code..

using funding to decide how/when theyll support other platforms doesnt relate in any way to the attitudes that caused the heartbleed bug... in fact, it might show that they wouldnt want to put a half-effort into something which they cannot use all of their resources on... which is a good thing.

License

[simon1tan]

They license the code so people can use it free of charge. Now they complain that people are using it free and not contributing back to the opensource community. Boohoo.

Re:Graphic design geniuses too

[thoth]

I don't think they care about how their font is interpreted.

I think this is more like - we're busy actually fixing code and not going to hire a team of web designers to produce a web 2.0 dynamic social-media-hooked-into website with a few links and a bit of text.

Aha!

[neiras]

This. Seriously. People may not think that appearance is important, but it is. Comic Sans does not inspire confidence.

WEB HIPSTER DETECTED! ;)

Re:Aha!

[QilessQi]

Guilty as charged. :-)

Re:Graphic design geniuses too

[serviscope_minor]

And your post goes right along with the notion that Slashdot is filled with shitheads.

Yeah basically this. The sense of entitlement from people is quite astonishing. It's not good enough that they provide a free, amazingly secure OS, a free suite of SSH tools used by the entire world and are provideing a complete, open, audited implementation of SSL apparently.

No, they should do more, for free on their own time.

Mod parent Troll

[neiras]

How the fuck does this kind of trolling/tin-foil-hattery get to +5? The only "Interesting" thing about it is the apparent level of paranoia being experienced by gweihir. I mean, Red Hat as an NSA tool to Destroy Linux? Sure!

I get it, some folks hate systemd and everything Lennart does (and I'm not picking sides anymore), but the parent is just a smear job.

Re:Mod parent Troll

[gweihir]

Have you even tried to find out what is going on? The evidence is getting quite compelling. But I guess some people cannot see what they do not want to see.

Re:Mod parent Troll

[neiras]

The evidence is getting quite compelling. But I guess some people cannot see what they do not want to see.

Look, if you think you have something and you want to be the messenger, by all means register a catchy domain name like Heartbleed (HatMunch?) and present your evidence of conspiracy in a straightforward, peer-reviewable way. I recommend staying away from Comic Sans when choosing a typeface.

It's a wild theory, but if you can present anything other than character assasination, cherry-picked facts and NSA O NOE, you might get listened to by people who matter. Until you do that, you're gonna get modded down, and rightfully so. It's put up or shut up time.

But I guess some people would rather vomit paranoia than actually put in the effort it takes to be heard.

Re:Mod parent Troll

[gweihir]

Well, to spin this further, you do know who downmodded me, and why I was at +5 before, right? Clearly this is done by the forces of evil. That would be the same people that pay you to be a troll here. And no, you do not get to define the rules. Oldest trick in the book to sabotage an opponent in a "discussion".

Re:Libre is the new Open

[pr0fessor]

SSSL - Secure Secure Socket Layer is that like when people say LAN Network - Local Area Network Network

Re:Graphic design geniuses too

[Pseudonym+Authority]

Are you retarded? For the trillionth time, OpenBSD had nothing to do with OpenSSL until they forked it? Learn how to fucking read.

Re:Graphic design geniuses too

[Pseudonym+Authority]

Luckily though, they have a history of completing quality software to back up such an attitude. That's way better then the countless shitty projects with websites that push the very limits of jQuery and have beautiful CSS, but are only half-functional at best and riddled with security holes and have an obnoxious focus on spreading the word via facebook and a dozen other social sites.

Re:Graphic design geniuses too

[Missing.Matter]

Actually, they went out of their way to make the website look so bad and added a snarky, unprofessional comment about "web hipsters" to play that fact up. If they had spent less time on the site it would have actually looked better. This is completely disregarding the fact that making a decent looking site takes maybe half an hour. The website they created completely *distracts* from the project.

Instead we have yet another open source project run by myopic developers. You know, people who want to develop, and only want to develop. Ancillary things like project maintenance, management, and fund raising are those not fun, boring things that developers don't want to do.... and which got OpenSSL into trouble in the first place.

Functionality

[morgauxo]

I wonder what, if any functionality they are removing.

I can't say that I understand systemd...

[emil]

...but it seems to be a key player in Project Atomic.

This seems to be Red Hat's analog of Solaris "Zones" which let you give root to someone you don't trust in an isolated sandbox on your system. It appears to go further than zones in that you can exchange these sandbox images, with all of their installed software, with other systems. This lets you virtualize without running multiple kernels, yeilding a tremendous savings of memory. The additional assertion is that 3rd party software sales will be of these complete sandbox images, not an RPM/tarfile.

I will have a bit of studying to do for Red Hat 7. These are compelling new features, seemingly well worth the initial bugs.

p.s. just don't pass debug to grub.

Re:Graphic design geniuses too

[QilessQi]

Yep, I couldn't have put it better. I don't think they understand how that landing page (and the comment you mention) will actually reduce the likelihood that visitors will trust their professionalism or donate to their efforts.

Re:Libre is the new Open

[adiposity]

I had the same idea. But I was actually serious.

I think they could called it "ClosedSSL."

"You are still using OPEN ssl? Are you crazy? Used this CLOSED ssl to keep hackers out."

Re:Graphic design geniuses too

[St.Creed]

It's not like they can steal openssl login credentials and just fix all the code and make a new release for them.

Unless OpenSSL is still using their original code :)

Re:Can they do OpenSSH too?

[gweihir]

Just my point. The OpenSSH project has done its learning and reached a quite high level of quality 10 years or more ago. Ans as it does what it is supposed to, there is no need to add features, making it even more secure.
 

Re:Am I the only one?

[Desler]

Yes. See: OpenSSH.

Re:Lets make some easy money!

[Desler]

They are not going to put back in the original code. They will build a proper portability layer. Just like what was done for OpenSSH.

Re:s/open/libre/ ?

[Desler]

There is an OpenBSD fork. It's called Bitrig.

Re:Please change the API

[chriscappuccio]

That will take time. The first versions will try to be API compatible because of the huge base of existing software. The future will see incremental API improvements as people learn from their experiences.

PolarSSL already won this race

[gatkinso]

No reason to reinvent that.

Re:PolarSSL already won this race

[DaMattster]

PolarSSL is basically non-free. It is copyleft but not truly free. The developers at OpenBSD will basically make LibreSSL the new standard and you'll want to adopt it because they have a helluva track record at writing quality, low-bug code.

Does OpenBSD Actually Work Now?

[prezkennedy.org]

The last time I tried it, it didn't even recognize my USB keyboard or mouse so it was completely and entirely useless. Seems like they should focus their attention on making an OS that works on computers built within the past decade instead of forking other projects' code.

Maybe that's how it's so secure?

Re:Does OpenBSD Actually Work Now?

[DaMattster]

I've not had a problem getting OpenBSD to work. Even if your mileage varies, you have dmesg and other troubleshooting tools at your disposal. Part of the fun of UNIX-like operating systems is getting them to work when they don't. You learn a lot about troubleshooting and gain a solid understanding of computers.

Re:Lets make some easy money!

[danknight48]

They are not going to put back in the original code. They will build a proper portability layer. Just like what was done for OpenSSH.

For which they want funding, before they will begin that work.

Let me put it to you as simple as possible, from their point of view:
"we waited for the heartbleed issue to be public. Then used it for our advantage"
"we removed 90k lines of code and removed support for multiple os's"
"we now require funding, before we carry on work"

I smell money grabbing bullshit to be honest.
Remove 90k lines of someone else's code and demand money? Finish the job, or dont bother starting it.

Grok LibreSSL

[ConstantineM]

If anyone's looking to grok it and potentially get involved, there's a fast OpenGrok available:

http://bxr.su/o/lib/libssl/src...

So is the solution in Open Source issue

[nhat11]

Is to create another OS alternative to replace the broken one? lol

Re:Graphic design geniuses too

[hobarrera]

I didn't understand what you were talking about until I checked the CSS's source.
They forgot to embed Comic Sans, so unless you installed it manually, you'll just see plain Sans. :)

Re:Graphic design geniuses too

[AC-x]

They missed a trick tho, they could have had a few of these under the Other OS's title :)

Re:Awesome!

[rubycodez]

yes, the team has proven themselves cleaning up BSD and many other projects. they have creds and accomplishments in that field

Re:Graphic design geniuses too

[rubycodez]

suck on this thermometer: http://www.openbsdfoundation.o...

Re:What will be next: LibreSystemd?

[rubycodez]

OpenBSD already has your LibreSystemd, it's called the BSD rc script system. it fucking works, bitches.

Re:Lets make some easy money!

[rubycodez]

wrong, they are working already. They've been working for years. They have been getting funding for years. They have proven projects that benefit everyone. They are merely asking for more donations: http://www.openbsdfoundation.o...

what is wrong with that, they have long track record of success.