> BoringSSL is a fork of OpenSSL that is designed to meet Google's needs.
> Although BoringSSL is an open source project, it is not intended for general use, as OpenSSL is. We don't recommend that third parties depend upon it. Doing so is likely to be frustrating because there are no guarantees of API or ABI stability.
Seems like they are working pretty close together and got something out of the deal as well.
They now have out of the box some features they maintained themselves, and have a more stable and maintainable stack.
Also: it seems like there's no release or commit signing, unless I missed it? So couldn't you just compromise one user, or commit bot, or git repo location, and basically own all TLS that Cloudflare uses, effectively owning like half of the internet?