Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Forks OpenSSL, Announces BoringSSL

Posted by Soulskill on from the if-you-want-something-done-right dept.

An anonymous reader writes Two months after OpenBSD's LibReSSL was announced, Adam Langley introduces Google's own fork of OpenSSL, called BoringSSL. "[As] Android, Chrome and other products have started to need some subset of these [OpenSSL] patches, things have grown very complex. The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much. So we're switching models to one where we import changes from OpenSSL rather than rebasing on top of them. The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too." First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."

5 of 128 comments (clear)

  1. Re:Choice is NOT ALWAYS good by NotInHere · · Score: 3, Informative

    Compare email (you can choose your provider, but regardless, you can email anyone) vs. social networking (if you choose Facebook and your friend is the one person on Google+, you're out of luck)

    That's one of the reasons why I have email, jabber, and sms (and webrtc), but no social network.

  2. It is hip to be square by ctime · · Score: 5, Informative

    For those having a hard time understanding the naming convention,

    Boring: Not flashy, not exciting, not experimental, not sexy. Performs as expected.

    In other words, exactly how I want my security libraries, my databases, and the other critical infrastructure that runs the planet to be described as. Boring is good. A choice between boring Plain Jane and Simple Sally? Even better. Thank you.

  3. Re:Yaaaay! by Opportunist · · Score: 2, Informative

    I prefer to eat capitalists.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Re:What a name! by swillden · · Score: 5, Informative

    First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."

    The name "BoringSSL."

    I am finding extreme difficulty in liking this name choice. What was Google thinking? Am I alone?

    It's not "What was Google thinking?", it's "What was Adam Langley thinking?". As for what he was thinking, it's pretty simple: Fundamental security components like SSL/TLS should be very, very boring. They're not a place for innovation and experimentation, they're not a place for clever code that demonstrates the author's virtuosity (assuming there is any such place, outside of Obfuscated C contests). They're not a place for exploration of how the C preprocessor can be used to automatically generate much of the codebase (which is something that OpenSSL has done). They're where you want very simple, straightforward, boring implementations of industry best practice algorithms and protocols.

    When it comes to security, boring is good.

    As Langley said in his blog post, the name is aspirational. But it is his goal, to produce a security library which is completely boring. And it's a good thing.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  5. Re:How does this help? by jones_supa · · Score: 3, Informative

    OpenSSL Gets Patch for 4-Year-Old Flaw

    That one had a public CVE sitting for 4 years while nobody took the responsibility to fix it.