Not Just a Cleanup Any More: LibreSSL Project Announced 360
An anonymous reader writes "As some of you may know, the OpenBSD team has started cleaning up the OpenSSL code base. LibreSSL is primarily developed by the OpenBSD Project, and its first inclusion into an operating system will be in OpenBSD 5.6. In the wake of Heartbleed, the OpenBSD group is creating a simpler, cleaner version of the dominant OpenSSL. Theo de Raadt, founder and leader of OpenBSD and OpenSSH, tells ZDNet that the project has already removed 90,000 lines of C code and 150,000 lines of content. The project further promises multi-OS support once they have proper funding and the right portability team in place. Please consider donating to support LibreSSL via the OpenBSD foundation."
Re:Or.. (Score:2, Interesting)
Are you on crack or just poorly trolling?
How is that even remotely "holding OpenSSL hostage" ??? they make their own version for their pet OS. No one forces *you* or anyone else to use it, no one is forbidden to fix OpenSSL meanwhile (except for these few developpers cleaning up LibreSSL I guess)
If you know how to fix OpenSSL, please be my guest, otherwise just stop spouting nonsense ...
oh, and by the way, seriously, go take a look [opensslrampage.org] at the horrible code that they're cleanning up and removing ... double free, missing checks, useless if/else conditions, memory mismanagments, and worse ... that cleanup was long overdue.
Re:Please don't (Score:4, Interesting)
SSL is the standard.
OpenSSL is an implementation
LibreSSL is an implementation
The standard isn't forked.
In this instance the standard mostly applies to the protocol. The on system interfaces will most likely mutate rather quickly. Most specifically at the user interaction level. The library interfaces will most likely remain steady.
This isn't a bad thing.
SSL and it's related crypto cousins is all about trust, but paradoxically Crypto people don't trust crypto people so there is very little trust out there. So really powerful things like personal / corporate certificate authorities just don't exist in practice. Imagine the power of a CA for personal certs. It would change authentication forever. Good bye 300 passwords. But since no two people can build two independent systems that truly trust each other there really is no hope for personal certificate authorities. Maybe this reboot of an SSL implementation can move us one step closer. Or even an inch/2.2cm.
Re:Please change the name! (Score:4, Interesting)
And yet Americans like the work "liberty". Civil liberties. Statue of liberty. And so on. That is simply inexplicable.
Re:What will be next: LibreSystemd? (Score:1, Interesting)
That one is easy: Just throw it away completely. Systemd is a major redesign of a major, critical Linux component.You would think that there is a very good, solid, compelling reason to do so. Apparently all they really have is "it boots faster". (And apparently id does not even do that in quite a few circumstances...)
My personal theory is that the NSA planned systemd as a project to sabotage Linux security (remember that Red Hat is primarily funded by the US military): Put an incompetent team with big egos in charge (Poettering and Sivers are certainly that), give them delusions of grandeur, make sure the BSD people ignore it by explicitly denying portability, and then just wait while the cretins produce a bloated, easy-to-exploit mess. (This "init-system" includes a freaking web-server! How stupid can you get?)
No need to place any backdoors, and all the countless vulnerabilities are genuine mistakes! Genius!
Re:Or.. (Score:2, Interesting)
Call the new one OpenTLS and remove any support for old insecure SSL variants at the same time...