Forgot your password?
typodupeerror
Security Android Chrome Chromium Google

Google Forks OpenSSL, Announces BoringSSL 128

Posted by Soulskill
from the if-you-want-something-done-right dept.
An anonymous reader writes Two months after OpenBSD's LibReSSL was announced, Adam Langley introduces Google's own fork of OpenSSL, called BoringSSL. "[As] Android, Chrome and other products have started to need some subset of these [OpenSSL] patches, things have grown very complex. The effort involved in keeping all these patches (and there are more than 70 at the moment) straight across multiple code bases is getting to be too much. So we're switching models to one where we import changes from OpenSSL rather than rebasing on top of them. The result of that will start to appear in the Chromium repository soon and, over time, we hope to use it in Android and internally too." First reactions are generally positive. Theo de Raadt comments, "Choice is good!!."
This discussion has been archived. No new comments can be posted.

Google Forks OpenSSL, Announces BoringSSL

Comments Filter:
  • by Anonymous Coward on Saturday June 21, 2014 @09:51AM (#47288205)

    A huge part of the problem with OpenSSL is the attitude that anyone but the "Anointed Few" are discouraged from getting involved with security research or the development of cryptographic software.

    I know we're all familiar with the common saying, "Never roll your own crypto!" It's this attitude that drives good people away from even just analysing existing crypto code. Nobody wants to feel the unrelenting wrath of the security community toward outsiders, especially if you happen to find a flaw with something they created.

    How will Google avoid this aspect of the problem? Fixing the software bugs are one thing, but the bugs within the community itself are probably far harder to fix.

  • by colfer (619105) on Saturday June 21, 2014 @10:03AM (#47288257)

    Maybe by assigning people to the project who have not chosen security as a career field. On the Mozilla commits I used to follow, the personalities in the security arena were a different kettle of fish from the other developers. They had to maintain FIPS compliance, so were conservative about changes, but it was more than that. Not to mention, there's a possibility of workers with ulterior motives. All the more reason to develop a wider community than just self-selected specialists.

    The billion dollar companies can afford it, and should have a long time ago.

  • Re:Yaaaay! (Score:5, Interesting)

    by Megane (129182) on Saturday June 21, 2014 @10:22AM (#47288345) Homepage

    Yes. Because they don't want anyone else to have that data that they have gone to such effort to collect.

    Or at least not without paying for it.

  • by bmajik (96670) <matt@mattevans.org> on Saturday June 21, 2014 @10:22AM (#47288349) Homepage Journal

    Bugs weren't missed in mainline openSSL. Bugs were logged, sat around for years, and didn't get fixed.

    The project management and software engineering practices for openSSL were/are simply not acceptable.

    The code is salvageable. The people and processes that allowed the code to get that way are not.

    "This code under new management"

Testing can show the presense of bugs, but not their absence. -- Dijkstra

Working...