Slashdot Mirror
Not Just a Cleanup Any More: LibreSSL Project Announced
An anonymous reader writes "As some of you may know, the OpenBSD team has started cleaning up the OpenSSL code base. LibreSSL is primarily developed by the OpenBSD Project, and its first inclusion into an operating system will be in OpenBSD 5.6. In the wake of Heartbleed, the OpenBSD group is creating a simpler, cleaner version of the dominant OpenSSL. Theo de Raadt, founder and leader of OpenBSD and OpenSSH, tells ZDNet that the project has already removed 90,000 lines of C code and 150,000 lines of content. The project further promises multi-OS support once they have proper funding and the right portability team in place. Please consider donating to support LibreSSL via the OpenBSD foundation."
LibreSSL.... Please for the love of code, change the name!
They never claimed they were.
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
There's something at the bottom of the page.
"This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags"
This. Seriously. People may not think that appearance is important, but it is. Comic Sans does not inspire confidence.
Koans and fables for the software engineer
Who thinks it's important? Who'll decide to switch or not based on a font on a website? Why?
They DO OpenSSH. And other projects: http://www.openbsdfoundation.org/
Don't fork SSL, we need to keep one standard, I'd think. This is a bad idea. These resources could be used to improve OpenSSL directly.
Typefaces by their nature are designed to convey a specific emotions. It's the whole reason we don't simply convey written information in one fixed typeface; some are more appropriate than others given the situation.
Comic Sans in particular is designed to imitate comic book lettering. It's not particularly professional. In the wake of the OpenSSL bug, many people were questioning open source in general, saying (not rightfully, but saying nonetheless) that the Heartbleed bug was caused by a bunch of amateur volunteers. i.e. open source is not developed by professionals. Comic Sans doesn't exactly inspire confidence for people who now view the open source development model as dubious.
Are you on crack or just poorly trolling?
How is that even remotely "holding OpenSSL hostage" ??? they make their own version for their pet OS. No one forces *you* or anyone else to use it, no one is forbidden to fix OpenSSL meanwhile (except for these few developpers cleaning up LibreSSL I guess)
If you know how to fix OpenSSL, please be my guest, otherwise just stop spouting nonsense ...
oh, and by the way, seriously, go take a look at the horrible code that they're cleanning up and removing ... double free, missing checks, useless if/else conditions, memory mismanagments, and worse ... that cleanup was long overdue.
Comic Sans doesn't exactly inspire confidence for people who now view the open source development model as dubious.
Maybe in 2000, I would have cared but no longer. OSS is very well established and is in plenty of cases the leading option. If people want to make stupid emotional decisions, then it's time to let them. No actually, it's time to encourage them because it means I will have fewer serious competitors of the competition hamstring themselves with ill-informed emotional decisions.
SJW n. One who posts facts.
The key reason OpenSSL is so popular in US is because the project is on top of FIPS certifications. LibreSSL might cure cancer, but very few system integrators will use it unless it has certified module.
Comic Sans doesn't exactly inspire confidence for people who now view the open source development model as dubious.
Maybe in 2000, I would have cared but no longer. OSS is very well established and is in plenty of cases the leading option. If people want to make stupid emotional decisions, then it's time to let them. No actually, it's time to encourage them because it means I will have fewer serious competitors of the competition hamstring themselves with ill-informed emotional decisions.
They're pleading for donations. Are you comfortable being the sole donor, too?
LibreSSL.... Please for the love of code, change the name!
I wish they would start a naming contest soon.
There ought to be _someone_ out there who can come up with some much better name than "LibreSSL" ...
Muchas Gracias, Señor Edward Snowden !
It's not about a better OpenSSL. It's about OpenBSD waving its penis around. That's all it is. The OpenSSL team is amenable to aid; but they have two developers and no help. OpenBSD is essentially holding OpenSSL hostage by making their own version, not contributing back, and making it OS-specific to OpenBSD unless you give them money to make it not.
FUD!
It's BSD! Source code will be available. No restrictions! How can they not give it back?
Strong, your hatred of OpenBSD is. Blinded you are.
Actually, more like a raging fuckwit you are.
It's not about a better OpenSSL. It's about OpenBSD waving its penis around.
Frankly you're a complete fucking idiot if you think that. Basically if you persist on believing it, you are either ignorant or stupid. If the former, there's no excuse because it've been covered so many times on just slashdot alone. Therefor it's wilful ignorance. Actually I think it's malice because you appear to hate OpenBSD for no rational reason.
OpenBSD want an API compatible, SAFE version of OpenSSL for their operating system. Rather than whining on the internet with their tumb up their ass, they're actually doing something about it. So they can provide a safe, BSD licensed operating system, which is their goal.
The OpenSSL team is amenable to aid; but they have two developers and no help.
So? That's the fault of the 10,000 companies out there who use openSSL but were too stupid to consider it worth chucking a few bucks to the OpenSSL team. The fact that the OpenBSD team is doing something about it is not a fault with the OpenBSD team.
OpenBSD is essentially holding OpenSSL hostage by making their own version, not contributing back, and making it OS-specific to OpenBSD
Well, I guess they should have used a different license then. The OpenBSD folks aren't even makeing it closed source. It's out there if you want it. And it's specific to OpenBSD because---guess what---it's being done by OpenBSD developers. But they're good programmers and good people. It's not going to be heavily tied to OpenBSD. It will be pretty portable code.
OpenBSD unless you give them money to make it not.
OMG nuuuu!!111oneeleven People on the internet aren't working for free for me!! How dare those evil fuckers want to get fucking paid for FUCKING WORK!!! The bastards! They're doing nothing but waving their penises around. How dare they.
whine whine blah blah
No one is obligated to work for you for free. Fact is they actually are because OpenSSL badly needed this cleanup of the outer crap. The OpenBSD people are doing it for free in their own time and it's quite astonishingly arrogant of you (who hasn't donated a dollar or an hour of your time) to complain about how.
The chances are with the code being cleaned up, it will actually be more easily portable to other systems modern than the old code. They're not doing damage because the old code is still there and you can keep using it warts and all for as long as you like.
SJW n. One who posts facts.
SSSL - Secure SSL
After stripping out all of the unnecessary bloat, you would be left with BSDinit. There really is no need to go through all that trouble since BSDinit is already available. Stable, robust, sane, and works great on Unix or Linux.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
Conflicting stances.
No, not really. The OpenBSD people are working on OpenBSD for free because they want to. If you complain because they're not working on your preferred thing for free, you come across as a huge dick---precisely what you were complaining about said developers for waving around.
The fact of the matter is they have two possible modes of operation:
Holy false dichotomy batman!
Contribute code back to OpenSSL
The code is out there for the OpenSSL devs to take if they want. In fact it's all in the form of versioned patches against the OpenSSL code base. If the OpenSSL devs don't want to take it, then there's going to be a fork. That's not the fault of OpenBSD. The chances are there will be a fork because the goals of OpenSSL and OpenBSD are divergent.
or create a project tied to OpenBSD that won't run elsewhere.
Or the third way of creating a portable library.
They've voiced openly that this new code will run on OpenBSD but not elsewhere,
Seems reasonable. Their goal is to make a secure, BSD licensed operating system. I can see why they'd not want to waste their precious, valuable free (and sometimes funded by OpenBSD donors) time working on things which aren't open BSD.
but that they'll fix it to run elsewhere if you give them money
Sounds reasonable to me. If you want a programmer to work on something for you that they don't already want to do themselves, then you pay them. Completely reasonable. I won't port my libraries to Windows or MacOS unless someone pays me because I don't like working on windows and don't own a Mac.
Or, you could apply your own effort to it.
Isn't OSS neat? You don't even have to pay them! If you do the work up to an acceptable level of quality, they'll even bless it and include it in the official release. What decent, stand-up people they are.
Fact of the matter is they're not being philanthropic;
Of course they are: they're providing a complete, free, secure operating system with many components that with little effort can be released elsewhere. For free, using their own time an effort. Just because they're not giving you exactly what you want doesn't make them not philanthropic.
Do you also complain donate money to a registered charity instead of you personally? Does that also make them not philanthropists?
they're dangling a carrot and telling you if you want it you can either pay them to bring it down to you or you can climb the mountain and come take it
So basically they're providing some great free carrots and you're objecting because they're not walking up to you and stuffing it in your mouth. And it's hardly a mountain.
They're putting in some effort to grow the carrot,
If by some you mean a far, far more more than it would take for you to dray yourself up there, then yes. It's their time to put in. They can do it how they like. Dictating to them how they shoudl spend their time without offering the slightest incentive makes you seem entitled.
but they've decided to plant their carrot field atop a mountain instead of using the fertile farm land at the base where the villagers can get to it.
You mean they've put it where they need it rather than where a bunch of useleless people who have never contributed a thing to them and do nothing but whine on the internet would find it most useful. Oh the huge manatee! The bastards. How could they!
Only the elite--the rich or the strong--can get the carrot,
Or the people who run OpenBSD. It's free and open source. It even comes precompiled. Go install it for free and enjoy the fruits of their labour. Or contribute $1. If everyone who whinged like you contributed a dollar, you'd have it by now.
If you count your self as not rich enough to contribute a dollar and not strong enough to install OpenBSD or hack some C code, then you really do have my depeest sympathy. Well a bi
SJW n. One who posts facts.
They already have music under the "OpenSSL" link on the LibreSSL webpage. Seems they are ahead of you ;-)
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
My point is that it costs less in labor to rewrite OpenSSL cleaned-up but OpenBSD only without consideration for other OSes than it does to rewrite OpenSSL with no such consideration. Then, when you go back and fix the now-broken OpenSSL rewrite (LibreSSL), you add more than the difference in that labor: it requires more overall effort to do this one-and-a-half times than to do it right once.
Well, the OpenBSD people disagree with you. You also forgot the auditing of the code that they're goig to be doing once it's fixed. Much easier on a clean codebase.
They're not giving everyone a rewritten OpenSSL; they're giving everyone the concept of a rewritten OpenSSL, which you can put into use on OpenBSD, or you can apply your own effort or apply money to OpenBSD to get written to work on Linux/FreeBSD/Windows.
So they're buiding something they need for themselves personally, but are generous to make it available to everyone should anyone else need it. And they'll even let you freely modify it if it doesn't fit your needs! Not only that but if your mods are of no benefit to them but cleanly written and useful to others, they'll even go out of their way to include them in their project. What nice people. I think they should be applauded for their philanthropy.
They do sound like awfully nice people to me.
It's really a shame that there are so many people on the internet who complain they they're not spending even more time and even more effort to give more away for free. But there you go: some people just have a sense of entitlement out of all proportion.
SJW n. One who posts facts.
Fait accompli, apparently. :D
Well played, Theo et al.
I'm not gunna use no "liberal SSL", might as well just call it "socialist SSL" and get it over with.
They should call it "FREEDUMB:SSL" and make everybody happy.
Or at least "rePun SSL". Sorry, it's hard finding a use for that -ZL sound.
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
They just come over as a bunch of complete, smug, self-absorbed wankers.
*golf clap*
Call the new one OpenTLS and remove any support for old insecure SSL variants at the same time...
I look forward to new and interesting side-effects of the pell-mell rush to clean up the code of a poorly written, poorly maintained, and even more poorly documented software package!
more poorly documented than OpenSSL?
the OpenBSD team creates some of the best documentation out there.. it is one of their major accomplishments and clearly important to them.
if all they did were document it, openSSL would be better off for it.. they are forking it, improving the code and documenting it.
Of course, they arent gods, perhaps mistakes will be made.. but this team is known for producing high quality code and high quality documentation.. .. i think that you couldn't be any further from the mark with your flippant remark mr AC!
I'd much rather see the OpenSSL project itself get cleaned up
That would be ideal, and there's nothing stopping the OpenSSL project from doing that.
OpenBSD is a group that says - we are relying on this code that is totally busted, let's fix it - and they prioritized their OS first. I don't see a problem with that. OpenBSD is already making their work publicly available for free, they don't have the onus to actually provide bullet-proof solid code for every platform on the planet. Turns out other OS hackers need to roll up their sleeves too, and fork over some cash to support the effort.
This. Seriously. People may not think that appearance is important, but it is. Comic Sans does not inspire confidence.
WEB HIPSTER DETECTED! ;)
How the fuck does this kind of trolling/tin-foil-hattery get to +5? The only "Interesting" thing about it is the apparent level of paranoia being experienced by gweihir. I mean, Red Hat as an NSA tool to Destroy Linux? Sure!
I get it, some folks hate systemd and everything Lennart does (and I'm not picking sides anymore), but the parent is just a smear job.
SSSL - Secure Secure Socket Layer is that like when people say LAN Network - Local Area Network Network
Are you retarded? For the trillionth time, OpenBSD had nothing to do with OpenSSL until they forked it? Learn how to fucking read.
Luckily though, they have a history of completing quality software to back up such an attitude. That's way better then the countless shitty projects with websites that push the very limits of jQuery and have beautiful CSS, but are only half-functional at best and riddled with security holes and have an obnoxious focus on spreading the word via facebook and a dozen other social sites.
I had the same idea. But I was actually serious.
I think they could called it "ClosedSSL."
"You are still using OPEN ssl? Are you crazy? Used this CLOSED ssl to keep hackers out."
Yes. See: OpenSSH.