

Linux Foundation rounds up vendor posse to save OpenSSL - chris-at
http://gigaom.com/2014/04/24/linux-foundation-rounds-up-vendor-posse-to-save-openssl/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+OmMalik+%28GigaOM%3A+Tech%29

======
valarauca1
Based on the figures an OpenSSL developer tweeted, their old funding was
approximately ~$2,000 per year. (I can't find the source at this exact
minute).

Hopefully this means OpenSSL will finally be able to afford a few security
audits, refactoring, and everything people have wanted.

~~~
midas007
Throwing money at a problem without competent leadership just makes matters
works. The leadership has to have a grasp of what's wrong for any of that
money to be used effectively. If history were any measure, it seems as likely
as a blizzard in the Sahara.

~~~
richardwhiuk
This outright hatred towards the developers of OpenSSL seems bizarre and
unwarranted.

Should the heartbleed bug have been caught in code review? Yes.

Does the quality of the OpenSSL library leave something to be desired? Yes.

Are there likely to be similar bugs in other SSL implementations? Yes.

Is LibreSSL / OpenSSL Rampage / PolarSSL / GnuTLS a good alternative? Probably
not, due to poor cross platform support, insufficient features, and way fewer
eyeballs.

Do other crypto libraries have test suites which would have caught this? No,
not as far as I can tell - Apple's Security framework bug and the GnuTLS bug
should be evidence enough of that.

If you want to migrate, go ahead. The best option is probably NSS.

~~~
mitchty
I'd argue LibreSSL is already doing a better job because they are doing things
that should have happened ages ago.

Files from 1998 that were supposed to be removed when 1.0 was released?
Should've been gone years ago. Code interspersed with platform specific hacks
say for VMS(!?!?!? why is this even supported still) that needs to go.

Having a simple core that has platform shims on top is a good thing. Ripping
out the openssl NIH memcpy/etc... is a good thing. Sometimes the only way
forward is to step back and take a better path.

Everyone here is annoyed that we likely are throwing good money after bad. If
the openssl developers don't practice good software engineering as it is,
money won't change that. This is the fundamental worry. I'm skeptical this
will result in anything useful. If the years upon years of technical debt in
this project aren't cleaned up like libressl has done, I don't see much chance
of things improving substantially.

~~~
midas007
Yes, this is the core worry. OpenSSL needs a press release to commit to a
360-review, top-to-bottom and engage more to lead the tech / stds WG to reduce
complexity.

------
dang
This is a dupe of
[https://news.ycombinator.com/item?id=7639835](https://news.ycombinator.com/item?id=7639835).

------
Karunamon
Interesting. What makes this effort different from what OpenBSD is doing? I
assume rather than the "nuke-from-orbit-and-start-fresh" approach, this will
attempt to clean it up and keep platform interoperability and such still
around?

~~~
km3k
I assume it will be more of a "clean it up" rather than "nuke it" approach,
plus there's a lot more money involved.

~~~
midas007
Starting over on OpenSSL would cost about 20 mega USD, so that's unlikely.

Currently, Ohloh esimates $6.7 mega USD in code cost, but figure 3x for a
crypto lib due to inherent challenges of correctness. [0]

[0]
[https://www.ohloh.net/p/openssl/estimated_cost](https://www.ohloh.net/p/openssl/estimated_cost)

~~~
Karunamon
When I said "nuke it", I was more referring to the current practice of
slashing and burning build support and modifications necessary to allow the
library to build on anything but the most popular handful of platforms.

The glee with which this is being done (looking at the commits) is palpable.

~~~
midas007
Ahhh. Yup, I just lightly-forked LibreSSL to bring back some build
infrastructure to non-OpenBSD platforms. It's easy for folks to get get
carried away, and there will probably be some quiet backpedaling.

[https://github.com/steakknife/libressl](https://github.com/steakknife/libressl)

