Forgot your password?
typodupeerror
Security Encryption

Not Just a Cleanup Any More: LibreSSL Project Announced 360

Posted by timothy
from the they'd-like-some-beer-money dept.
An anonymous reader writes "As some of you may know, the OpenBSD team has started cleaning up the OpenSSL code base. LibreSSL is primarily developed by the OpenBSD Project, and its first inclusion into an operating system will be in OpenBSD 5.6. In the wake of Heartbleed, the OpenBSD group is creating a simpler, cleaner version of the dominant OpenSSL. Theo de Raadt, founder and leader of OpenBSD and OpenSSH, tells ZDNet that the project has already removed 90,000 lines of C code and 150,000 lines of content. The project further promises multi-OS support once they have proper funding and the right portability team in place. Please consider donating to support LibreSSL via the OpenBSD foundation."
This discussion has been archived. No new comments can be posted.

Not Just a Cleanup Any More: LibreSSL Project Announced

Comments Filter:
  • Re:Or.. (Score:2, Insightful)

    by Dancindan84 (1056246) on Tuesday April 22, 2014 @08:13AM (#46814141)
    That's what I was wondering. The summary is a little vague, and I didn't really get a whole lot of clarity reading the articles as to whether OpenBSD was cleaning up OpenSSL and forking it to LibreSSL, or just cleaning up the code AS they forked it to LibreSSL. It seems like the latter, and if they're not contributing back and keeping LibreSSL OpenBSD only (at least initially), they're solving a problem less than 1% of us are having rather than helping a whole lot more.

    I'd much rather see the OpenSSL project itself get cleaned up (or forked/restarted for "everyone" if the code needs more than cleanup) than have it forked and cleaned up for JUST an OpenBSD implementation.
  • by Missing.Matter (1845576) on Tuesday April 22, 2014 @08:23AM (#46814235)
    Typefaces by their nature are designed to convey a specific emotions. It's the whole reason we don't simply convey written information in one fixed typeface; some are more appropriate than others given the situation.

    Comic Sans in particular is designed to imitate comic book lettering. It's not particularly professional. In the wake of the OpenSSL bug, many people were questioning open source in general, saying (not rightfully, but saying nonetheless) that the Heartbleed bug was caused by a bunch of amateur volunteers. i.e. open source is not developed by professionals. Comic Sans doesn't exactly inspire confidence for people who now view the open source development model as dubious.
  • Re:Please don't (Score:5, Insightful)

    by Kardos (1348077) on Tuesday April 22, 2014 @08:31AM (#46814293)

    It's not a bad idea. OpenSSL has become unwieldy, which has been known for quite some time. A major refactoring is long overdue. Does it matter if the project changes name? OpenSSL 2.0 or LibreSSL - what's the difference? The OpenSSL guys don't have the resources/time/funding/whatever to do it, and the OpenBSD guys apparently do.

    > Even after all those changes, the codebase is still API compatible.

    It's going to be a drop in replacement for OpenSSL. Same idea as the MariaDB fork of MySQL. Where is the "bad idea" here?

  • by sinij (911942) on Tuesday April 22, 2014 @08:38AM (#46814361) Journal
    The key reason OpenSSL is so popular in US is because the project is on top of FIPS certifications. LibreSSL might cure cancer, but very few system integrators will use it unless it has certified module.
  • Re:Or.. (Score:2, Insightful)

    by serviscope_minor (664417) on Tuesday April 22, 2014 @08:46AM (#46814419) Journal

    Strong, your hatred of OpenBSD is. Blinded you are.

    Actually, more like a raging fuckwit you are.

    It's not about a better OpenSSL. It's about OpenBSD waving its penis around.

    Frankly you're a complete fucking idiot if you think that. Basically if you persist on believing it, you are either ignorant or stupid. If the former, there's no excuse because it've been covered so many times on just slashdot alone. Therefor it's wilful ignorance. Actually I think it's malice because you appear to hate OpenBSD for no rational reason.

    OpenBSD want an API compatible, SAFE version of OpenSSL for their operating system. Rather than whining on the internet with their tumb up their ass, they're actually doing something about it. So they can provide a safe, BSD licensed operating system, which is their goal.

    The OpenSSL team is amenable to aid; but they have two developers and no help.

    So? That's the fault of the 10,000 companies out there who use openSSL but were too stupid to consider it worth chucking a few bucks to the OpenSSL team. The fact that the OpenBSD team is doing something about it is not a fault with the OpenBSD team.

    OpenBSD is essentially holding OpenSSL hostage by making their own version, not contributing back, and making it OS-specific to OpenBSD

    Well, I guess they should have used a different license then. The OpenBSD folks aren't even makeing it closed source. It's out there if you want it. And it's specific to OpenBSD because---guess what---it's being done by OpenBSD developers. But they're good programmers and good people. It's not going to be heavily tied to OpenBSD. It will be pretty portable code.

    OpenBSD unless you give them money to make it not.

    OMG nuuuu!!111oneeleven People on the internet aren't working for free for me!! How dare those evil fuckers want to get fucking paid for FUCKING WORK!!! The bastards! They're doing nothing but waving their penises around. How dare they.

    whine whine blah blah

    No one is obligated to work for you for free. Fact is they actually are because OpenSSL badly needed this cleanup of the outer crap. The OpenBSD people are doing it for free in their own time and it's quite astonishingly arrogant of you (who hasn't donated a dollar or an hour of your time) to complain about how.

    The chances are with the code being cleaned up, it will actually be more easily portable to other systems modern than the old code. They're not doing damage because the old code is still there and you can keep using it warts and all for as long as you like.

  • by sinij (911942) on Tuesday April 22, 2014 @08:58AM (#46814521) Journal
    You might be proven right by the next Snowden report, but this still will not change the fact that to sell to the government you need to demonstrate your crypto is certified.

    Another way of thinking about this - your liability is much higher when your badly broken crypto results in your customer database in the pastebin, than when your backdoored library results in your customer database somewhere in the NSA data vault.
  • by ThePhilips (752041) on Tuesday April 22, 2014 @09:06AM (#46814597) Homepage Journal

    What is with this reaction of Americans to the French/Latin word "libre"?

  • by Pieroxy (222434) on Tuesday April 22, 2014 @09:23AM (#46814765) Homepage

    It's not English nor does it has English roots, so they don't like it. It's simple really. You can apply that to many things Americans don't like.

  • Re:Or.. (Score:4, Insightful)

    by serviscope_minor (664417) on Tuesday April 22, 2014 @09:53AM (#46815091) Journal

    Conflicting stances.

    No, not really. The OpenBSD people are working on OpenBSD for free because they want to. If you complain because they're not working on your preferred thing for free, you come across as a huge dick---precisely what you were complaining about said developers for waving around.

    The fact of the matter is they have two possible modes of operation:

    Holy false dichotomy batman!

    Contribute code back to OpenSSL

    The code is out there for the OpenSSL devs to take if they want. In fact it's all in the form of versioned patches against the OpenSSL code base. If the OpenSSL devs don't want to take it, then there's going to be a fork. That's not the fault of OpenBSD. The chances are there will be a fork because the goals of OpenSSL and OpenBSD are divergent.

    or create a project tied to OpenBSD that won't run elsewhere.

    Or the third way of creating a portable library.

    They've voiced openly that this new code will run on OpenBSD but not elsewhere,

    Seems reasonable. Their goal is to make a secure, BSD licensed operating system. I can see why they'd not want to waste their precious, valuable free (and sometimes funded by OpenBSD donors) time working on things which aren't open BSD.

    but that they'll fix it to run elsewhere if you give them money

    Sounds reasonable to me. If you want a programmer to work on something for you that they don't already want to do themselves, then you pay them. Completely reasonable. I won't port my libraries to Windows or MacOS unless someone pays me because I don't like working on windows and don't own a Mac.

    Or, you could apply your own effort to it.

    Isn't OSS neat? You don't even have to pay them! If you do the work up to an acceptable level of quality, they'll even bless it and include it in the official release. What decent, stand-up people they are.

    Fact of the matter is they're not being philanthropic;

    Of course they are: they're providing a complete, free, secure operating system with many components that with little effort can be released elsewhere. For free, using their own time an effort. Just because they're not giving you exactly what you want doesn't make them not philanthropic.

    Do you also complain donate money to a registered charity instead of you personally? Does that also make them not philanthropists?

    they're dangling a carrot and telling you if you want it you can either pay them to bring it down to you or you can climb the mountain and come take it

    So basically they're providing some great free carrots and you're objecting because they're not walking up to you and stuffing it in your mouth. And it's hardly a mountain.

    They're putting in some effort to grow the carrot,

    If by some you mean a far, far more more than it would take for you to dray yourself up there, then yes. It's their time to put in. They can do it how they like. Dictating to them how they shoudl spend their time without offering the slightest incentive makes you seem entitled.

    but they've decided to plant their carrot field atop a mountain instead of using the fertile farm land at the base where the villagers can get to it.

    You mean they've put it where they need it rather than where a bunch of useleless people who have never contributed a thing to them and do nothing but whine on the internet would find it most useful. Oh the huge manatee! The bastards. How could they!

    Only the elite--the rich or the strong--can get the carrot,

    Or the people who run OpenBSD. It's free and open source. It even comes precompiled. Go install it for free and enjoy the fruits of their labour. Or contribute $1. If everyone who whinged like you contributed a dollar, you'd have it by now.

    If you count your self as not rich enough to contribute a dollar and not strong enough to install OpenBSD or hack some C code, then you really do have my depeest sympathy. Well a bi

  • Re:Or.. (Score:5, Insightful)

    by serviscope_minor (664417) on Tuesday April 22, 2014 @10:01AM (#46815181) Journal

    My point is that it costs less in labor to rewrite OpenSSL cleaned-up but OpenBSD only without consideration for other OSes than it does to rewrite OpenSSL with no such consideration. Then, when you go back and fix the now-broken OpenSSL rewrite (LibreSSL), you add more than the difference in that labor: it requires more overall effort to do this one-and-a-half times than to do it right once.

    Well, the OpenBSD people disagree with you. You also forgot the auditing of the code that they're goig to be doing once it's fixed. Much easier on a clean codebase.

    They're not giving everyone a rewritten OpenSSL; they're giving everyone the concept of a rewritten OpenSSL, which you can put into use on OpenBSD, or you can apply your own effort or apply money to OpenBSD to get written to work on Linux/FreeBSD/Windows.

    So they're buiding something they need for themselves personally, but are generous to make it available to everyone should anyone else need it. And they'll even let you freely modify it if it doesn't fit your needs! Not only that but if your mods are of no benefit to them but cleanly written and useful to others, they'll even go out of their way to include them in their project. What nice people. I think they should be applauded for their philanthropy.

    They do sound like awfully nice people to me.

    It's really a shame that there are so many people on the internet who complain they they're not spending even more time and even more effort to give more away for free. But there you go: some people just have a sense of entitlement out of all proportion.

  • Re:Awesome! (Score:4, Insightful)

    by lemur3 (997863) on Tuesday April 22, 2014 @10:41AM (#46815537)

    I look forward to new and interesting side-effects of the pell-mell rush to clean up the code of a poorly written, poorly maintained, and even more poorly documented software package!

    more poorly documented than OpenSSL?

    the OpenBSD team creates some of the best documentation out there.. it is one of their major accomplishments and clearly important to them.

    if all they did were document it, openSSL would be better off for it.. they are forking it, improving the code and documenting it.

    Of course, they arent gods, perhaps mistakes will be made.. but this team is known for producing high quality code and high quality documentation.. .. i think that you couldn't be any further from the mark with your flippant remark mr AC!

  • Re:Or.. (Score:4, Insightful)

    by thoth (7907) on Tuesday April 22, 2014 @11:41AM (#46816055) Journal

    I'd much rather see the OpenSSL project itself get cleaned up

    That would be ideal, and there's nothing stopping the OpenSSL project from doing that.

    OpenBSD is a group that says - we are relying on this code that is totally busted, let's fix it - and they prioritized their OS first. I don't see a problem with that. OpenBSD is already making their work publicly available for free, they don't have the onus to actually provide bullet-proof solid code for every platform on the planet. Turns out other OS hackers need to roll up their sleeves too, and fork over some cash to support the effort.

  • by pr0fessor (1940368) on Tuesday April 22, 2014 @11:54AM (#46816169)

    SSSL - Secure Secure Socket Layer is that like when people say LAN Network - Local Area Network Network

When I left you, I was but the pupil. Now, I am the master. - Darth Vader

Working...