
IBM, Microsoft, Facebook, Google, others pledge $3.6 million to fund OpenSSL - 0cool
http://arstechnica.com/information-technology/2014/04/tech-giants-chastened-by-heartbleed-finally-agree-to-fund-openssl/
======
computer
> "IBM, Microsoft, Facebook, Google, others pledge $3.6 million to fund
> OpenSSL (arstechnica.com)"

The title of this submission is incorrect. The funding goes to the general
fund, not specifically to OpenSSL.

Here's the press release this article is based on:

[http://www.linuxfoundation.org/news-
media/announcements/2014...](http://www.linuxfoundation.org/news-
media/announcements/2014/04/amazon-web-services-cisco-dell-facebook-fujitsu-
google-ibm-intel)

And here's the actual initiative:

[http://www.linuxfoundation.org/programs/core-
infrastructure-...](http://www.linuxfoundation.org/programs/core-
infrastructure-initiative)

Discussed here:

[https://news.ycombinator.com/item?id=7639835](https://news.ycombinator.com/item?id=7639835)

~~~
dang
Thank you. We'll bury the current post as a dupe of 7639835.

------
zdw
If they funded OpenBSD's project portfolio (including LibreSSL), they'd get a
heck of a lot more out of it for their money.

~~~
smackfu
But they don't want to run OpenBSD.

~~~
davidgerard
Everyone who relies on ssh should be sending OpenBSD a bit of cash.

------
romanovcode
OpenSSL source code is a disaster. It's spaghetti that doesn't do what you
think it does with horrible documentation. People submit patches from people
they don't even know and then you have it: An SSL library that is flawed but
everyone is using it. An spying agency and hackers dream.

We don't need OpenSSL, we need another library built from scratch with very
clean code and documentation.

Everyone who has more interest on why OpenSSL is a catastrophe should watch
operation ORCHESTRA[0].

[0]
[https://www.youtube.com/watch?v=fwcl17Q0bpk](https://www.youtube.com/watch?v=fwcl17Q0bpk)

~~~
ahknight
> built from scratch

With ya up until this. The core crypto code works. The framework around it is
aged, crufty, and could use a refactor/rewrite. But tossing the baby out is
not useful here. Just wash the kid and put on some new clothes and he'll fit
right in again.

LibreSSL is going in the right direction (specific questionable decisions
notwithstanding). Hopefully someone will bring over some of that love to the
main codebase.

~~~
midas007
Agreed. Even Theo sees the value in a popular but crappy crypto lib that works
that just needs a good gutting. Starting from scratch would be costly
reinventing a security wheel and likely incompatible with OpenSSL... IOW dead-
on-arrival.

------
midas007
This comes off as a few companies trying to throw money at a rotten crypto
lib, when only leadership like Theo's way (minimalism, dropping features)
would have a prayer of rescuing it. So giving OpenSSL more money doesn't make
sense, it's like rewarding failure because they've shown an inability to
produce good code or maintain it well... More money won't help that, likely
the opposite. Instead, TLS WG needs to get their act together and reduce their
addiction to feature creep, release a reference library and comprehensive test
suite. Then OpenSSL might have a chance after picking up a compass and a map
and get back to some semblance of being a decent crypto lib, but more money is
unlikely to solve this issue.

------
mikecb
This, along with Google and others devoting employees like Neel Mehta to it
should go a long way.

------
Nanzikambe
They're throwing good money after bad pretty much. IMO they should fund
LibreSSL + OpenBSD + OpenSSH, bound to get more bang for buck.

------
prohor
WOW! Never thought there is just one person devoted to a library that we rely
to bring security to us all. Community is great but still some more dedication
is needed in parts which are essential for security. Glad to see that some
took it seriously.

------
pyvpx
how about they each chip in $10K each year for OpenSSH?

~~~
abrahamsen
They might, indirectly. OpenSSH would seem like a good candidate for funding
from the Core Infrastructure Program.

------
leccine
Wow, with this money they could just rewrite that thing and get the source
audited and tested.

