Forgot your password?
typodupeerror
Security Android Chrome Chromium Google

Google Forks OpenSSL, Announces BoringSSL 128

Posted by Soulskill
from the if-you-want-something-done-right dept.
An anonymous reader writes Two months after OpenBSD's LibReSSL was announced, Adam Langley introduces Google's own fork of OpenSSL, called BoringSSL. "[As] Android, Chrome and other products have started to need some subset of these [OpenSSL] patches, things have grown very complex. The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much. So we're switching models to one where we import changes from OpenSSL rather than rebasing on top of them. The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too." First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."
This discussion has been archived. No new comments can be posted.

Google Forks OpenSSL, Announces BoringSSL

Comments Filter:
  • by NotInHere (3654617) on Saturday June 21, 2014 @10:31AM (#47288401)

    Compare email (you can choose your provider, but regardless, you can email anyone) vs. social networking (if you choose Facebook and your friend is the one person on Google+, you're out of luck)

    That's one of the reasons why I have email, jabber, and sms (and webrtc), but no social network.

  • by ctime (755868) on Saturday June 21, 2014 @10:34AM (#47288409)
    For those having a hard time understanding the naming convention,

    Boring: Not flashy, not exciting, not experimental, not sexy. Performs as expected.

    In other words, exactly how I want my security libraries, my databases, and the other critical infrastructure that runs the planet to be described as. Boring is good. A choice between boring Plain Jane and Simple Sally? Even better. Thank you.
  • Re:Yaaaay! (Score:3, Informative)

    by Opportunist (166417) on Saturday June 21, 2014 @10:56AM (#47288503)

    I prefer to eat capitalists.

  • Re:What a name! (Score:5, Informative)

    by swillden (191260) <shawn-ds@willden.org> on Saturday June 21, 2014 @11:10AM (#47288567) Homepage Journal

    First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."

    The name "BoringSSL."

    I am finding extreme difficulty in liking this name choice. What was Google thinking? Am I alone?

    It's not "What was Google thinking?", it's "What was Adam Langley thinking?". As for what he was thinking, it's pretty simple: Fundamental security components like SSL/TLS should be very, very boring. They're not a place for innovation and experimentation, they're not a place for clever code that demonstrates the author's virtuosity (assuming there is any such place, outside of Obfuscated C contests). They're not a place for exploration of how the C preprocessor can be used to automatically generate much of the codebase (which is something that OpenSSL has done). They're where you want very simple, straightforward, boring implementations of industry best practice algorithms and protocols.

    When it comes to security, boring is good.

    As Langley said in his blog post [imperialviolet.org], the name is aspirational. But it is his goal, to produce a security library which is completely boring. And it's a good thing.

  • by jones_supa (887896) on Saturday June 21, 2014 @11:32AM (#47288667)

    OpenSSL Gets Patch for 4-Year-Old Flaw [eweek.com]

    That one had a public CVE sitting for 4 years while nobody took the responsibility to fix it.

Thus spake the master programmer: "After three days without programming, life becomes meaningless." -- Geoffrey James, "The Tao of Programming"

Working...