

OpenSSL, OpenSSH and NTP to receive support from Core Infrastructure Initiative - ryanweal
https://www.linuxfoundation.org/news-media/announcements/2014/05/core-infrastructure-initiative-announces-new-backers
&quot;Network Time Protocol, OpenSSH and OpenSSL first projects to receive support; Open Crypto Audit Project to conduct security audit of OpenSSL&quot;
======
kyledrake
Just give the money to the OpenBSD team. We saw with OpenSSH that they have a
proven track record taking crappy security software and fixing it. Why does
everyone have this aversion to giving the OpenBSD team the funding they
deserve?

And "Theo's a dick" doesn't qualify as a valid reason to not fund real
security development. For the work those guys have done improving the security
infrastructure of every operating system (they lead, others followed), the
entire team deserves to be well-off dicks. It's to me the ultimate highlight
of OSS's funding problem. People make millions/billions of dollars off of this
software, and nobody ever contributes any of that back to the shoulders they
stood on to make that happen.

~~~
tptacek
OpenBSD is not auditing OpenSSL. They're substantially rewriting it. The net
effect is hopefully similar, but it's a very different path to get there.
Further, the refactor might introduce new bugs, and it can easily miss subtle
bugs (we're talking about cryptography, which is not as easy to spot or to fix
"accidentally" [which is part of OpenBSD's M.O.] as memory corruption).

"Theo's a dick" has nothing to do with why funds are being applied to audit
and not to "just have OpenBSD rewrite everything".

~~~
sigzero
I would trust Theo's team over the OpenSSL team any day of the week.

~~~
tptacek
That's great, but neither LibreSSL nor the Linux Foundation open audit project
has anything whatsoever to do with the OpenSSL team.

------
allendoerfer
When the missing funding of OpenSSL was discussed, it came up several times,
that OpenSSH, while doing great, is quite underfunded, too. I am glad to see
them getting some money.

What i can't really comment on myself, but am reading from the OpenBSD guys
is, that the OpenSSL team does quite well with FIPS consulting and has no
increased interest in improving the library.[0]

Even if those claims are not true, it would be nice to see several other TLS
libraries (GnuTLS, LibreSSL etc.) getting sponsored to get some healthy
competition. Maybe, they could even directly compete for shares of the funding
by the Linux Foundation in some way.

[0]:
[http://www.openbsd.org/papers/bsdcan14-libressl/mgp00008.htm...](http://www.openbsd.org/papers/bsdcan14-libressl/mgp00008.html)

~~~
awj
Straight from the horse's mouth[1]

> Also, the income they earn though their paid consulting work supports their
> unpaid work on OpenSSL, so by hiring OpenSSL team members you are not only
> solving your own problems but also helping to ensure the long term viability
> of the OpenSSL product.

They also on their website list hourly consulting starting at $250/hour.
Neither of these describe _how much_ they get out of this, but it seems
reasonable to say that the "OpenSSL runs of $2k/year" line is disingenuous at
best.

[1]
[http://www.openssl.org/support/consulting.html](http://www.openssl.org/support/consulting.html)

~~~
rgbrenner
"but it seems reasonable to say that the "OpenSSL runs of $2k/year" line is
disingenuous at best."

Is it? The last contract listed on that page is 4 years old. Maybe they don't
regularly get contracts.

------
mrweasel
I'm actually looking forward to seeing how the OpenSSL problem will deal with
their own legacy code, compared to how the OpenBSD developers have handled it.

It seems that own of the only ways of dealing with the OpenSSL code is to
strip out the code for a large number of, should we say "less used platforms".
Is the OpenSSL developers willing to drop support for 16 bit Windows or
OpenVMS?

~~~
wmf
_Is the OpenSSL developers willing to drop support for 16 bit Windows or
OpenVMS?_

They either need to properly maintain it or drop it, and they don't have
enough money to maintain it.

~~~
jimktrains2
I just want to know who's still compiling against 16bit windows or OpenVMS. I
know my world view isn't infinite, but those systems seem a bit out there.

~~~
daxelrod
Part of my job involves writing software on OpenVMS. We actually just recently
ported something that needed OpenSSL and were happy to find an up-to-date
version.

~~~
tribaal
Out of curiosity (sorry if that's offtopic), but what kind of workload are you
running?

Is there anything except resources that prevent you from moving to a more
modern platform? Of course, "it works" is a valid argument there, too. But you
seem to be writing new code, too.

~~~
daxelrod
No, nothing except resources is in the way of completion of a move to a more
modern platform. It's coming gradually, but we can't drop everything for a
year or two to devote all of our engineering resources to getting us there.

OpenVMS has some really good ideas baked into the OS that we've had to
reimplement or find off-the-shelf solutions for our new platform (for example
a distributed key-value store (called "logicals"), a job queue system, and a
clustered filesystem) but nothing so earth-shattering that it would keep us on
VMS.

The biggest downsides are expensive hardware (OpenVMS is designed around
clusters of a few beefy boxes, rather than many commodity boxes), lack of
community knowledge, and lack of new software available for the platform. (End
of life is also looming:
[http://h71000.www7.hp.com/openvms/openvms_supportchart.html](http://h71000.www7.hp.com/openvms/openvms_supportchart.html)
.)

------
adventureloop
I skimmed, but cannot seem to see which project is being supported when they
say NTP.

When you support the OpenBSD Foundation you support:

\- OpenBSD \- OpenSSH \- OpenBGPD \- OpenNTPD \- OpenSMTPD \- LibreSSL

The wording makes me think that the initiative will be supporting something
other than OpenNTPD

~~~
dankohn1
They're supporting 4 projects so far: OpenSSL, OpenSSH, NTPd, and an Open
Crypto Audit Project (OCAP) audit of OpenSSL. The Network Time Protocol
project is here: [http://ntp.org/](http://ntp.org/)

------
orik
If OpenSSL software foundation is a for profit operation, why are tech
companies funding it(1) instead of LibreSSL?

1: [http://arstechnica.com/information-
technology/2014/04/tech-g...](http://arstechnica.com/information-
technology/2014/04/tech-g..).

~~~
tytso
The CII is not funding the OpenSSL Foundation; it is directly funding two
OpenSSL developers, so they can work on whatever is best for OpenSSL, instead
of whatever feature improvements contracted by the OpenSSL Foundation.

As a result, the people behind the OpenSSL Foundation are NOT taking a cut of
the monies from the CII.

------
dfc
This is great news. NTP is one of the least appreciated OSS projects. Harlan
and the rest of the ntp dev team are very helpful and deserve a lot of respect
for keeping the clocks on time. I can only hope that increased ntp
funding/awareness/development means that _BitKeeper_ (not a typo) is finally
replaced by git/mercurial.

------
dmix
How do code security audits actually work? Are various well-experienced people
just combing through the code and trying to break it? Or is there a more
formal process?

~~~
chrisrohlf
This depends on a couple of different things. The most important of which is
"at what stage of development is the application? (i.e. how mature and well
tested is this code)". Software Development Life Cycle (SDLC) processes are
great when followed from the start. When they are applied long after the first
100k+ lines of code are written then its harder. A typical code audit for us
(I do this professionally at [http://leafsr.com](http://leafsr.com)) involves
some threat modeling, attack surface enumeration, manual data-flow and taint
analysis ("where does untrusted data come into this application and how is it
handled") and finally just reading the code. Timing and scope will heavily
influence how deep you can go. 1 week on OpenSSH will probably get you
nothing, 6 weeks on OpenSSL will definitely get you something.

(edit: expanded on what is most important)

------
mjibson
It is possible the OpenSSH funding, since it is done through the OpenBSD
Foundation, could, at the Foundation's discretion, go toward LibreSSL, since
it's the same group.

~~~
Alupis
No it's not. Libressl is a different team; one that feels a fork was more
appropriate than just fixing the problems in openssl.

IMHO, libressl is a mistake. It's splitting resources over something that
needs to be as air-tight as possible. I'd much rather have 1 really really
good ssl library that everyone uses instead of 2 so-so ones.

~~~
clarry
> No it's not. Libressl is a different team

OpenSSH and LibreSSL are both a part of OpenBSD. So when you donate to the
OpenBSD Foundation, you are very much donating to one project.

> one that feels a fork was more appropriate than just fixing the problems in
> openssl

You can't start fixing things in other peoples' source tree just like that.
I'm pretty sure nothing useful would've come out of it if the OpenBSD folk had
sent half a million lines in diffs to OpenSSL;
[http://www.openbsd.org/papers/bsdcan14-libressl/mgp00026.htm...](http://www.openbsd.org/papers/bsdcan14-libressl/mgp00026.html)

~~~
Alupis
> You can't start fixing things in other peoples' source tree just like that.

Yes, you can. It's called contributing to a project. If the "half million
lines of diffs" were actually things needing fixing, then the upstream team
would accept them. If they are not necessary changes (such as ripping out all
windows compatibility), then no, they would reject such changes.

It will take years, maybe a decade before a new ssl library becomes the
"default". OpenSSL has a lot of ground covered and a lot of history. Yes, it's
common knowledge that libressl started _before_ heartbleed, but the reasons
for the project being started are mostly along the lines of:

1) We don't think upstream would take these changes

2) We don't like some aspects of the design philosophy

3) We can do it better.

All 3 reasons can be collapsed into a more focused effort to fix the already
existing and very good ssl library; openssl.

~~~
chrismonsanto
> Yes, you can. It's called contributing to a project. If the "half million
> lines of diffs" were actually things needing fixing, then the upstream team
> would accept them. If they are not necessary changes (such as ripping out
> all windows compatibility), then no, they would reject such changes.

I take it you've never dealt with an inactive/apathetic upstream before? Just
because someone _is_ the steward of a project does not mean they _should_ be.
This is perhaps one of the most valid reasons to fork!

The LibreSSL team says that there were big problems on the tracker that
languished for years, such as OpenSSL not working correctly when you disable
their custom memory allocator. If the OpenSSL team can't deal with bug reports
in a timely fashion, what makes you think they will bother reviewing and
merging hundreds of thousands of lines of code?

~~~
Alupis
Then you become the steward of the project and continue forward. Forking will
introduce an untold number of _new_ bugs, some of which may be _worse_ than
imagined. Right now, native libressl only works on bsd's, when openssl
codebase works on many os's. There are ports being made, which will introduce
more bugs.

Bugs being in a tracker for years is not uncommon.

Here's OpenSSH's tracker:

[https://bugzilla.mindrot.org/buglist.cgi?bug_status=__open__...](https://bugzilla.mindrot.org/buglist.cgi?bug_status=__open__&content=&no_redirect=1&order=changeddate&product=Portable%20OpenSSH&query_based_on=&query_format=specific)

331 bugs, a large majority of which are pre 2012.

This is not a sign of inactive/apathetic developers. It's a sign of big and
old projects.

I have no doubt the OpenBSD folk are excited about this now... but 5 years
from now? More? What's the long term viability of this project? Will they
eventually put all OS's on an equal footing instead of *BSD's first and port
to other OS's?

Forking was not the answer. The answer was to fix the perceived problems in
OpenSSL and make it as solid as it can be. It's splitting talent and resources
unnecessarily. Especially when the two projects are under the same umbrella
(OpenBSD Foundation).

~~~
chrismonsanto
> Then you become the steward of the project and continue forward. ... The
> answer was to fix the perceived problems in OpenSSL and make it as solid as
> it can be. It's splitting talent and resources unnecessarily.

But that is what the fork is, OpenSSL with new stewards. What is your
objection? That they are using a different name? That they decided to remove
certain platforms which were a maintenance burden? That FIPS is broken by
design and therefore isn't a priority? I imagine the OpenSSL team disagrees
with the LibreSSL team on all of these issues. The only option was a fork.

> Right now, native libressl only works on bsd's, when openssl codebase works
> on many os's. There are ports being made, which will introduce more bugs.

One step backwards, two steps forward.

------
joealba
What about BIND for DNS?

~~~
mprovost
The DNS ecosystem is much more diverse. djbdns is considered to be the most
secure, and there are a few other quality implementations. The root servers,
for example, run a mixture of BIND and NSD, so no single bug can affect all of
them.

------
davidgerard
Just LibreSSL. Let OpenSSL die its deserved death. Portable LibreSSL will do
wonders.

------
tux
Having "Huawei" as one of the backers does not create confidance. Recent news
shows that they had there hardware backdoored.

[https://duckduckgo.com/?kh=1&q=Huawei&sites=www.schneier.com...](https://duckduckgo.com/?kh=1&q=Huawei&sites=www.schneier.com%2Fblog)

~~~
vidarh
How is the NSA's ability to backdoor Huawei hardware relevant for Huawei's
ability to provide money to help fund audits?

Presumably, the NSA hacking is a reason for Huawei to start caring a great
deal more about investing in security.

