

OpenSSL code beyond repair, claims creator of LibreSSL fork - tjaerv
http://arstechnica.com/information-technology/2014/04/openssl-code-beyond-repair-claims-creator-of-libressl-fork/

======
tjaerv
"'Our group removed half of the OpenSSL source tree in a week. It was
discarded leftovers,' de Raadt told Ars in an e-mail. […] De Raadt told ZDNet
that his team has removed 90,000 lines of C code. 'Even after all those
changes, the codebase is still API compatible,' he said. 'Our entire ports
tree (8,700 applications) continue to compile and work after all these
changes.' The OpenBSD team started working on LibreSSL about a week ago, he
told Ars."

------
guiambros
_" As for Heartbleed, 'the mystery is not that a few overworked volunteers
missed this bug', Marquess wrote. 'The mystery is why it hasn’t happened more
often.'"_

Couldn't agree more. I'm sure there's lots of folks now combing through every
line of OpenSSL, trying to find some new 0-day.

A hard fork seems a good option. Fresh start, with no cruft or a bunch of
legacy code. Painful, but positive.

