

OpenSSL Project Roadmap - dankohn1
https://www.openssl.org/about/roadmap.html

======
tedunangst
Sounds good to me. If followed through, OpenSSL and libressl portable could
possibly converge on practically identical code bases.

It is a little weird though that it's almost the libressl game plan, verbatim.
It could literally just say "do whatever libressl" does.

Some of the specifics, like memory management is dangerous, fips code is
tangly, win16 support is obsolete, seem a little too familiar. We haven't
really tried to make an exhaustive list of issues to fix in libressl. I know
there are things we haven't looked at yet. But for the OpenSSL roadmap to
match 100% our public work is weird. They haven't found anything to fix that
we've overlooked?

Also, there are definitely some problems in OpenSSL that we've identified, but
haven't talked about. I'd expect any independent review/roadmap planning to
identify them. They're missing from this list.

~~~
akjj
Sounds like OpenSSL is keeping FIPS in a refactored form and LibreSSL is
getting rid of it.

------
snvzz
I don't expect much to come from rewarding failure. Throwing money away at
OpenSSL isn't suddenly gonna make its developers good.

I'll be running LibReSSL, and I expect most Linux distributions to do the same
by default once the Linux port is released.

~~~
wfjackson
There are different degrees of failure. Expecting someone to work for free for
you(you as in all the big and small companies making a ton of money) while not
inspecting the code for bugs is one of them. Blaming the resource constrained
developers accomplishes nothing.

~~~
leccine
I never asked any OpenSSL guys to work for free for me. Btw. I am contributing
to FOSS projects before you are accusing me that I never done anything to the
community. I totally understand the responsibilities of open source
developers. Having software that supposed to provide security is a huge
responsibility and in those projects following best practices (not re-
implementing malloc badly, etc.) is insanely important. Just because it is
free it does not mean that you can throw out everything we know about software
engineering, and it does not justify broken software. There is a tendency in
the software community that if it is free it can be crap and nobody can
complain about it. This is bad attitude. If you can't write great software
just please don't do it and try to hide behind the open source flag.

~~~
lttlrck
Where did he accuse you?

~~~
leccine
"before you are accusing"

English is hard man, I know.

------
ayrx
This is great news indeed. At least now we know the OpenSSL developers
recognize the problems they have and that they are actively working on fixing
them.

This definitely increases my confidence in them.

------
josephlord
From their news page:

24-Jun-2014: Team status changes including six new development team members

The article listed links to:
[https://www.openssl.org/about/](https://www.openssl.org/about/)

Hopefully the new team can deliver on the promise in this roadmap.

~~~
leccine
Absolutely, there is a book written about this topic.

[http://en.wikipedia.org/wiki/The_Mythical_Man-
Month](http://en.wikipedia.org/wiki/The_Mythical_Man-Month)

------
InfiniteRand
While I would not necessarily prioritize this above any of their other
concerns mentioned in the roadmap, I would love to see openssl use a more
standard build process instead of generating code through perl as part of
their build

~~~
anaphor
It would also be nice if they tested builds with infrequently used options.
I've tried building with documented options, e.g. no-comp (disables
compression) and it completely failed. Presumably because the CPP generated
something that no longer built using that option.

------
erichurkman
I don't understand why a code review system has to take 3 to 6 months. That
seems backwards to me: it should be the first step to improving the project.
Every one of the changes listed in the roadmap should be reviewed and signed
off by at least one other peer in the project.

~~~
lockes5hadow
They need to recruit more people to make it possible i guess? I don't know I
agree with you. Its absurd to have a project of this scale without code
review.

------
nodata
So now we have a third refactor?

~~~
Twirrim
It looks mostly like they've taken on-board the criticisms from the OpenBSD
developers and have decided to get their house in order.

It will be interesting to see whether this turns out to be just words or if
they'll stick it through. If the actually implement what they're planning the
future for OpenSSL will be a lot better.

