Forgot your password?
typodupeerror
Security Encryption

Not Just a Cleanup Any More: LibreSSL Project Announced 360

Posted by timothy
from the they'd-like-some-beer-money dept.
An anonymous reader writes "As some of you may know, the OpenBSD team has started cleaning up the OpenSSL code base. LibreSSL is primarily developed by the OpenBSD Project, and its first inclusion into an operating system will be in OpenBSD 5.6. In the wake of Heartbleed, the OpenBSD group is creating a simpler, cleaner version of the dominant OpenSSL. Theo de Raadt, founder and leader of OpenBSD and OpenSSH, tells ZDNet that the project has already removed 90,000 lines of C code and 150,000 lines of content. The project further promises multi-OS support once they have proper funding and the right portability team in place. Please consider donating to support LibreSSL via the OpenBSD foundation."
This discussion has been archived. No new comments can be posted.

Not Just a Cleanup Any More: LibreSSL Project Announced

Comments Filter:
  • Re:Or.. (Score:2, Interesting)

    by Anonymous Coward on Tuesday April 22, 2014 @09:25AM (#46814255)

    Are you on crack or just poorly trolling?

    How is that even remotely "holding OpenSSL hostage" ??? they make their own version for their pet OS. No one forces *you* or anyone else to use it, no one is forbidden to fix OpenSSL meanwhile (except for these few developpers cleaning up LibreSSL I guess)

    If you know how to fix OpenSSL, please be my guest, otherwise just stop spouting nonsense ...

    oh, and by the way, seriously, go take a look [opensslrampage.org] at the horrible code that they're cleanning up and removing ... double free, missing checks, useless if/else conditions, memory mismanagments, and worse ... that cleanup was long overdue.

  • Re:Please don't (Score:4, Interesting)

    by upuv (1201447) on Tuesday April 22, 2014 @09:56AM (#46814499) Journal

    SSL is the standard.
    OpenSSL is an implementation
    LibreSSL is an implementation

    The standard isn't forked.

    In this instance the standard mostly applies to the protocol. The on system interfaces will most likely mutate rather quickly. Most specifically at the user interaction level. The library interfaces will most likely remain steady.

    This isn't a bad thing.

    SSL and it's related crypto cousins is all about trust, but paradoxically Crypto people don't trust crypto people so there is very little trust out there. So really powerful things like personal / corporate certificate authorities just don't exist in practice. Imagine the power of a CA for personal certs. It would change authentication forever. Good bye 300 passwords. But since no two people can build two independent systems that truly trust each other there really is no hope for personal certificate authorities. Maybe this reboot of an SSL implementation can move us one step closer. Or even an inch/2.2cm.

  • by ThePhilips (752041) on Tuesday April 22, 2014 @10:35AM (#46814897) Homepage Journal

    And yet Americans like the work "liberty". Civil liberties. Statue of liberty. And so on. That is simply inexplicable.

  • by gweihir (88907) on Tuesday April 22, 2014 @11:05AM (#46815227)

    That one is easy: Just throw it away completely. Systemd is a major redesign of a major, critical Linux component.You would think that there is a very good, solid, compelling reason to do so. Apparently all they really have is "it boots faster". (And apparently id does not even do that in quite a few circumstances...)

    My personal theory is that the NSA planned systemd as a project to sabotage Linux security (remember that Red Hat is primarily funded by the US military): Put an incompetent team with big egos in charge (Poettering and Sivers are certainly that), give them delusions of grandeur, make sure the BSD people ignore it by explicitly denying portability, and then just wait while the cretins produce a bloated, easy-to-exploit mess. (This "init-system" includes a freaking web-server! How stupid can you get?)

    No need to place any backdoors, and all the countless vulnerabilities are genuine mistakes! Genius!

  • Re:Or.. (Score:2, Interesting)

    by Anonymous Coward on Tuesday April 22, 2014 @11:25AM (#46815395)

    Call the new one OpenTLS and remove any support for old insecure SSL variants at the same time...

"Our reruns are better than theirs." -- Nick at Nite

Working...