Not Just a Cleanup Any More: LibreSSL Project Announced 360
An anonymous reader writes "As some of you may know, the OpenBSD team has started cleaning up the OpenSSL code base. LibreSSL is primarily developed by the OpenBSD Project, and its first inclusion into an operating system will be in OpenBSD 5.6. In the wake of Heartbleed, the OpenBSD group is creating a simpler, cleaner version of the dominant OpenSSL. Theo de Raadt, founder and leader of OpenBSD and OpenSSH, tells ZDNet that the project has already removed 90,000 lines of C code and 150,000 lines of content. The project further promises multi-OS support once they have proper funding and the right portability team in place. Please consider donating to support LibreSSL via the OpenBSD foundation."
Please change the name! (Score:3, Informative)
LibreSSL.... Please for the love of code, change the name!
Re:Please change the name! (Score:5, Funny)
libwressle.so - will be here, sunday, Sunday, SUNDAY!!
Re: (Score:2)
nothing to do with wrestling but it sounds like it has something to do with certain kind of "monthlies".
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Funny)
I think LeSSL would sound better since they are reducing the code base by so much
Re: (Score:2)
Oui Oui, Le SSL!
Re:Please change the name! (Score:4, Funny)
Or they could go with MoreSSL, which sounds delicious.
Re: (Score:3)
LessSSL is actually a better name since they are deleting code rather than adding code.
Re:Please change the name! (Score:4, Funny)
Re: (Score:2)
Could not agree more. Sticking Libre! on the front of everything is getting annoying.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
I'm British and I always pronounce it as 'leebrer' or 'leebra'.
becase socialism is communism is real bad. (Score:2, Funny)
They should call it "FREEDUMB:SSL" and make everybody happy.
Or at least "rePun SSL". Sorry, it's hard finding a use for that -ZL sound.
They should have start a naming contest ... (Score:2)
LibreSSL.... Please for the love of code, change the name!
I wish they would start a naming contest soon.
There ought to be _someone_ out there who can come up with some much better name than "LibreSSL" ...
Re: (Score:2)
Re: (Score:2)
I doubt anything the OpenBSD group develops is going to be under the GNU licenses.
Re:Please change the name! (Score:5, Insightful)
What is with this reaction of Americans to the French/Latin word "libre"?
Re: (Score:2, Insightful)
It's not English nor does it has English roots, so they don't like it. It's simple really. You can apply that to many things Americans don't like.
Re:Please change the name! (Score:4, Interesting)
And yet Americans like the work "liberty". Civil liberties. Statue of liberty. And so on. That is simply inexplicable.
Re:Please change the name! (Score:4, Funny)
Clearly you haven't been paying much attention to the US lately. Clearly, we don't.
Re: (Score:2)
Re: (Score:2)
So, how about FreedomSSL, then?
Re: (Score:3)
There's nothing wrong with the word Libre, it's just its use in this context is poor.
Open source has for a long time had a massive problem with naming of programs. I'm not talking about GIMP, I'm talking about naming things in an obvious way, like Photoshop, Paint Shop Pro, both those names mean something, OpenSSL means something too.
The problem is the title clash. OpenOffice, OpenSSL, MySQL, were examples of well named packages where the titles will straight away tell you what the package does. MariaDB wtf
Re: (Score:3)
LibreSSL? LibreOffice?
This reminds me of something [youtu.be]...
http://youtu.be/iV3-OdQkXPU
Re: (Score:2)
Please for the love of code, change the name!
It is a lot better than libiberty:
http://en.wikipedia.org/wiki/L... [wikipedia.org]
Re: (Score:2)
Re:Libre is the new Open (Score:5, Funny)
SSSL - Secure SSL
Re: (Score:3, Insightful)
SSSL - Secure Secure Socket Layer is that like when people say LAN Network - Local Area Network Network
Re: (Score:3)
I had the same idea. But I was actually serious.
I think they could called it "ClosedSSL."
"You are still using OPEN ssl? Are you crazy? Used this CLOSED ssl to keep hackers out."
Slow clap (Score:2)
'Nuff said
Or.. (Score:2)
you use polarssl. Which is already exactly that.
Re: (Score:2)
Possibly it would be easier to integrate polarssl than clean up openssl, but they maybe like to work on crypto code instead of on interfaces.
Given that it's a volunteer effort (by them and by those who will volunteer some cash) I do not complain about it anyway.
Re: (Score:2)
PolarSSL doesn't have the same licensing model as OpenSSL, so it's not a drop-in replacement. (https://polarssl.org/how-to-get vs. http://www.openssl.org/source/... [openssl.org])
Re: (Score:2, Insightful)
I'd much rather see the OpenSSL pro
Re: (Score:2)
Re:Or.. (Score:4, Insightful)
I'd much rather see the OpenSSL project itself get cleaned up
That would be ideal, and there's nothing stopping the OpenSSL project from doing that.
OpenBSD is a group that says - we are relying on this code that is totally busted, let's fix it - and they prioritized their OS first. I don't see a problem with that. OpenBSD is already making their work publicly available for free, they don't have the onus to actually provide bullet-proof solid code for every platform on the planet. Turns out other OS hackers need to roll up their sleeves too, and fork over some cash to support the effort.
Re: (Score:2, Interesting)
Call the new one OpenTLS and remove any support for old insecure SSL variants at the same time...
Re: (Score:2, Interesting)
Are you on crack or just poorly trolling?
How is that even remotely "holding OpenSSL hostage" ??? they make their own version for their pet OS. No one forces *you* or anyone else to use it, no one is forbidden to fix OpenSSL meanwhile (except for these few developpers cleaning up LibreSSL I guess)
If you know how to fix OpenSSL, please be my guest, otherwise just stop spouting nonsense ...
oh, and by the way, seriously, go take a look [opensslrampage.org] at the horrible code that they're cleanning up and removing ... double free,
Re: (Score:3)
It's not about a better OpenSSL. It's about OpenBSD waving its penis around. That's all it is. The OpenSSL team is amenable to aid; but they have two developers and no help. OpenBSD is essentially holding OpenSSL hostage by making their own version, not contributing back, and making it OS-specific to OpenBSD unless you give them money to make it not.
FUD!
It's BSD! Source code will be available. No restrictions! How can they not give it back?
Re: (Score:2)
The source code is available. Is the labor available?
My point is that it costs less in labor to rewrite OpenSSL cleaned-up but OpenBSD only without consideration for other OSes than it does to rewrite OpenSSL with no such consideration. Then, when you go back and fix the now-broken OpenSSL rewrite (LibreSSL), you add more than the difference in that labor: it requires more overall effort to do this one-and-a-half times than to do it right once.
So you have two options: Pay up and have the OpenBSD wri
Re:Or.. (Score:5, Insightful)
My point is that it costs less in labor to rewrite OpenSSL cleaned-up but OpenBSD only without consideration for other OSes than it does to rewrite OpenSSL with no such consideration. Then, when you go back and fix the now-broken OpenSSL rewrite (LibreSSL), you add more than the difference in that labor: it requires more overall effort to do this one-and-a-half times than to do it right once.
Well, the OpenBSD people disagree with you. You also forgot the auditing of the code that they're goig to be doing once it's fixed. Much easier on a clean codebase.
They're not giving everyone a rewritten OpenSSL; they're giving everyone the concept of a rewritten OpenSSL, which you can put into use on OpenBSD, or you can apply your own effort or apply money to OpenBSD to get written to work on Linux/FreeBSD/Windows.
So they're buiding something they need for themselves personally, but are generous to make it available to everyone should anyone else need it. And they'll even let you freely modify it if it doesn't fit your needs! Not only that but if your mods are of no benefit to them but cleanly written and useful to others, they'll even go out of their way to include them in their project. What nice people. I think they should be applauded for their philanthropy.
They do sound like awfully nice people to me.
It's really a shame that there are so many people on the internet who complain they they're not spending even more time and even more effort to give more away for free. But there you go: some people just have a sense of entitlement out of all proportion.
Re: (Score:2)
Well, the OpenBSD people disagree with you. You also forgot the auditing of the code that they're goig to be doing once it's fixed. Much easier on a clean codebase.
That's part of the initial work. Once the code is re-ported and re-imported into the (diverging) OpenSSL base, it will require an additional audit. Things like Frama-C produce reports on impact analysis--you changed one line in one function and it affected 15% of your entire 2 million line code base.
Decades of research indicate that doing something not-quite-right the first time and then going back and redoing it requires more labor than doing it right the first time. We have an end state that we argu
Re: (Score:2)
This is a permanent fork akin to KHTML -> Webkit.
There is Buckley's chance OpenSSL will survive in any relevant fashion in its original form.
Re: (Score:2)
That's part of the initial work.
I'd say that's a good fraction if it.
Once the code is re-ported and re-imported into the (diverging) OpenSSL base
Who says they're going to do that? Much more likely that LibreSSL will be an API compatible alternative. They're only going to re-integrate if LibreSSL clean up which essentially means removing a huge amount of dead code. Which is what the OBSD people are doing.
it will require an additional audit.
Good job they're not doing it then.
Things like Frama-C produce repor
Re: (Score:2, Insightful)
Strong, your hatred of OpenBSD is. Blinded you are.
Actually, more like a raging fuckwit you are.
It's not about a better OpenSSL. It's about OpenBSD waving its penis around.
Frankly you're a complete fucking idiot if you think that. Basically if you persist on believing it, you are either ignorant or stupid. If the former, there's no excuse because it've been covered so many times on just slashdot alone. Therefor it's wilful ignorance. Actually I think it's malice because you appear to hate OpenBSD for no rat
Re:Or.. (Score:4, Insightful)
Conflicting stances.
No, not really. The OpenBSD people are working on OpenBSD for free because they want to. If you complain because they're not working on your preferred thing for free, you come across as a huge dick---precisely what you were complaining about said developers for waving around.
The fact of the matter is they have two possible modes of operation:
Holy false dichotomy batman!
Contribute code back to OpenSSL
The code is out there for the OpenSSL devs to take if they want. In fact it's all in the form of versioned patches against the OpenSSL code base. If the OpenSSL devs don't want to take it, then there's going to be a fork. That's not the fault of OpenBSD. The chances are there will be a fork because the goals of OpenSSL and OpenBSD are divergent.
or create a project tied to OpenBSD that won't run elsewhere.
Or the third way of creating a portable library.
They've voiced openly that this new code will run on OpenBSD but not elsewhere,
Seems reasonable. Their goal is to make a secure, BSD licensed operating system. I can see why they'd not want to waste their precious, valuable free (and sometimes funded by OpenBSD donors) time working on things which aren't open BSD.
but that they'll fix it to run elsewhere if you give them money
Sounds reasonable to me. If you want a programmer to work on something for you that they don't already want to do themselves, then you pay them. Completely reasonable. I won't port my libraries to Windows or MacOS unless someone pays me because I don't like working on windows and don't own a Mac.
Or, you could apply your own effort to it.
Isn't OSS neat? You don't even have to pay them! If you do the work up to an acceptable level of quality, they'll even bless it and include it in the official release. What decent, stand-up people they are.
Fact of the matter is they're not being philanthropic;
Of course they are: they're providing a complete, free, secure operating system with many components that with little effort can be released elsewhere. For free, using their own time an effort. Just because they're not giving you exactly what you want doesn't make them not philanthropic.
Do you also complain donate money to a registered charity instead of you personally? Does that also make them not philanthropists?
they're dangling a carrot and telling you if you want it you can either pay them to bring it down to you or you can climb the mountain and come take it
So basically they're providing some great free carrots and you're objecting because they're not walking up to you and stuffing it in your mouth. And it's hardly a mountain.
They're putting in some effort to grow the carrot,
If by some you mean a far, far more more than it would take for you to dray yourself up there, then yes. It's their time to put in. They can do it how they like. Dictating to them how they shoudl spend their time without offering the slightest incentive makes you seem entitled.
but they've decided to plant their carrot field atop a mountain instead of using the fertile farm land at the base where the villagers can get to it.
You mean they've put it where they need it rather than where a bunch of useleless people who have never contributed a thing to them and do nothing but whine on the internet would find it most useful. Oh the huge manatee! The bastards. How could they!
Only the elite--the rich or the strong--can get the carrot,
Or the people who run OpenBSD. It's free and open source. It even comes precompiled. Go install it for free and enjoy the fruits of their labour. Or contribute $1. If everyone who whinged like you contributed a dollar, you'd have it by now.
If you count your self as not rich enough to contribute a dollar and not strong enough to install OpenBSD or hack some C code, then you really do have my depeest sympathy. Well a bi
Re: (Score:2)
Tell you what, how about you come over to my house at a time of my choosing (I'm a busy man) and at your own expense (I don't see why I should have to pay you for travel if I'm not going to pay you for the work) and dig my garden for me for free and exactly how I like (it has to be just-so or it doesn't count).
Actually, in my community, I had a burned down house that was there for 14 years torn down. I've been recommended to put a fence around it so people don't walk through, but that would be ugly. Instead I've bought the lot, and planted fruit trees and lavender bushes, added a bee hive. So rather than a fenced-off ugly lot with a private park, I have applied similar (nearly identical) effort and gained a huge improvement for the community. Of course, trash does blow through occasionally and I have to rake
Re: (Score:2)
Actually, in my community...
So? I don't live in your comminuty. I live elsewhere so what you did there is useless to me. So, come over to my place and fix it up. No, I *DEMAND* you do, or I shall say mean things about you on the internet. In fact I shall say exactly the same silly things about you being a selfish bastard and how fuck me and basically all the same silly things you're saying about the OBSD developers.
Basically you're whining about how they're not (metaphorically) flying 5000 miles to fix up a
Re: (Score:2)
sarcasm, hold your fire.
Parent is saying Theo and team are worthy stewards of ssh and will again be so regarding ssl.
Re: (Score:2)
Not contributing back? Are you fucking retarded? The OpenSSL team can always take fixes from the version that OpenBSD creates.
This has nothing to do with Theo's penis and everything to do with OpenSSL being a monstrous pile of crap that its devs are afraid to touch.
So basically what you want them to do is take your pet project, fix the fact that its a bloated pile of crap, and do it for your OS and your requirements which have absolutely nothing to do with theirs?
You've got to be pretty lazy and extremely
Re: (Score:2)
This is not a universal good. There is a cost to:
* Choice. Now I need to figure out which is better. This is why Amazon has reviews - choice makes things difficult.
* Diffusion of resources. Part of the reason OpenSSL was so bad was that this team had no money and no resources.
There are a lot of projects out there, forks for spite, forks for license religion, that are a waste of time and resources. "Oh ____ has a free software license, but it has slightly differ
Re: (Score:2)
Re: (Score:3)
They already have music under the "OpenSSL" link on the LibreSSL webpage. Seems they are ahead of you ;-)
Please don't (Score:3)
Don't fork SSL, we need to keep one standard, I'd think. This is a bad idea. These resources could be used to improve OpenSSL directly.
Re:Please don't (Score:5, Insightful)
It's not a bad idea. OpenSSL has become unwieldy, which has been known for quite some time. A major refactoring is long overdue. Does it matter if the project changes name? OpenSSL 2.0 or LibreSSL - what's the difference? The OpenSSL guys don't have the resources/time/funding/whatever to do it, and the OpenBSD guys apparently do.
> Even after all those changes, the codebase is still API compatible.
It's going to be a drop in replacement for OpenSSL. Same idea as the MariaDB fork of MySQL. Where is the "bad idea" here?
Re: (Score:2, Funny)
Where is the "bad idea" here?
A fork is alien to the OSS concept. If you are not happy with direction and quality of current maintainer and code, and think you can do better, you shouldn't just fork it and do it. Who have ever asked you to do that with OSS?? You should work with the provider and hope that helps.
Re: (Score:2)
What? Forking is a huge part of the OSS concept. "If you don't like the way the devs are going, STFU and change it yourself."
In *practice* it may not work that way very often (the biggest offenders in recent memory are massive projects that it's infeasible for a single or handful of developers to maintain. i.e. browsers, DEs, etc..), but you've got a pretty warped idea of OSS if you think it's "alien" to the concept.
Re: (Score:2)
Re: (Score:2)
OpenSSL 2.0 or LibreSSL - what's the difference? The OpenSSL guys don't have the resources/time/funding/whatever to do it, and the OpenBSD guys apparently do.
Rather, they apparently don't (hence the donations plea). What they do have time for is forking OpenSSL, cutting out the stuff they don't care about, and slapping each other on the back for giving OpenSSL a good poke in the eye.
Re: (Score:2)
Don't fork SSL
They're not.
we need to keep one standard
They are.
This is a bad idea.
It's not because your assumptions bove are faulty.
These resources could be used to improve OpenSSL directly.
That's exactly what they are doing. But they're forking OpenSSL because they want to do it their way.
Re:Please don't (Score:4, Interesting)
SSL is the standard.
OpenSSL is an implementation
LibreSSL is an implementation
The standard isn't forked.
In this instance the standard mostly applies to the protocol. The on system interfaces will most likely mutate rather quickly. Most specifically at the user interaction level. The library interfaces will most likely remain steady.
This isn't a bad thing.
SSL and it's related crypto cousins is all about trust, but paradoxically Crypto people don't trust crypto people so there is very little trust out there. So really powerful things like personal / corporate certificate authorities just don't exist in practice. Imagine the power of a CA for personal certs. It would change authentication forever. Good bye 300 passwords. But since no two people can build two independent systems that truly trust each other there really is no hope for personal certificate authorities. Maybe this reboot of an SSL implementation can move us one step closer. Or even an inch/2.2cm.
Get it FIPS certified (Score:5, Insightful)
Re:Get it FIPS certified (Score:4, Funny)
People are starting to think tha "FIPS Certified" means "has all required NSA backdoors installed".
Re:Get it FIPS certified (Score:4, Insightful)
Another way of thinking about this - your liability is much higher when your badly broken crypto results in your customer database in the pastebin, than when your backdoored library results in your customer database somewhere in the NSA data vault.
Re:Get it FIPS certified (Score:5, Informative)
Having gone through the certification process myself, people that think that are stupid, paranoid idiots. The certification process is entirely based on finding and fixing known flaws in the encryption process, nothing I saw would indicate any kind of weakening.
Of course, its entirely possible that the NSA was aware that my code was insecure and just didn't request any changes to make it weaker, but the certification process certainly didn't make that apparent.
Re: (Score:3)
Wrong.
A specific version of the OpenSSL binaries a LONG time ago received a low level of FIPS 140 certification. That certification was for specific binaries built from a specific code base. The instant a single line of source was changed, the entire FIPS certification is null and void for the new version. Depending not he exact way it was certified it is entirely possible that even compiling the same source code from the version that was certified ... does not itself receive the certification.
NO ONE use
Re: (Score:2)
That's not quite right either. The open-source releases of OpenSSL certainly do not ship with any implied FIPS certification. OpenSSL does offer FIPS validation for a specific build as part of their commercial support program [openssl.org]. They say "Support for the FIPS Object Module, including assistance with building a validated module for a specific platform (if possible) is available with the Premium plan". It is not correct that these versions are exactly the same code as the ones first certified long ago.
There
Re: (Score:3)
The core encryption functions of an older version (0.9.8, I think) was spun off into a separate module and certified for FIPS. The certification process is that the code is provably correct and the implementation is flawless, which is why it takes so damn long. It is also why only the core crypto transforms are certified.
You CAN, and vendors DO update the wrapper module around the core functions and update things without having to go back under certification.
Case in point. The Red Hat version of FIPS-OpenSS
Re: (Score:2)
If OpenBSD is successful in their goal of making a lean and mean LibreSSL, is there anything that stops someone else from getting it FIPS certified?
Clearly it would have to be re-done with each release, so presumably nobody would bother until LibreSSL is stable.
Re: (Score:2)
Do you know what FIPS certification does ?
They check the algoritms (read: math), not the implementation.
So nothing has really changed from that standpoint.
Will LibreSSL be FIPS certified ? Probably not.
Re: (Score:2)
The key reason OpenSSL is so popular in US is because the project is on top of FIPS certifications. LibreSSL might cure cancer, but very few system integrators will use it unless it has certified module.
Sounds like a good idea. Perhaps the system integrators who want to have a FIPS certified version of SSL that is also secure should do the legwork on getting the certification done, while Theo and his team work on the code. Decentralized [wikipedia.org] do-ocracy [communitywiki.org] FTW.
Re: (Score:2)
That's why I avoid all this open-source hippie code and only use genuine RSA BSAFE [wikipedia.org].
s/open/libre/ ? (Score:2)
OpenSSL -> LibreSSL
Will the next be
OpenSSH -> LibreSSH
OpenBSD -> LibreBSD
OpenStack -> LibreStack
Re: (Score:3)
They never claimed they were.
Re:Graphic design geniuses too (Score:5, Informative)
There's something at the bottom of the page.
"This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags"
Re: (Score:3)
Fait accompli, apparently. :D
Well played, Theo et al.
Re: (Score:3)
This. Seriously. People may not think that appearance is important, but it is. Comic Sans does not inspire confidence.
Re: (Score:2)
Who thinks it's important? Who'll decide to switch or not based on a font on a website? Why?
Re:Graphic design geniuses too (Score:5, Insightful)
Comic Sans in particular is designed to imitate comic book lettering. It's not particularly professional. In the wake of the OpenSSL bug, many people were questioning open source in general, saying (not rightfully, but saying nonetheless) that the Heartbleed bug was caused by a bunch of amateur volunteers. i.e. open source is not developed by professionals. Comic Sans doesn't exactly inspire confidence for people who now view the open source development model as dubious.
Re: (Score:3)
Comic Sans doesn't exactly inspire confidence for people who now view the open source development model as dubious.
Maybe in 2000, I would have cared but no longer. OSS is very well established and is in plenty of cases the leading option. If people want to make stupid emotional decisions, then it's time to let them. No actually, it's time to encourage them because it means I will have fewer serious competitors of the competition hamstring themselves with ill-informed emotional decisions.
Re: (Score:3)
Comic Sans doesn't exactly inspire confidence for people who now view the open source development model as dubious.
Maybe in 2000, I would have cared but no longer. OSS is very well established and is in plenty of cases the leading option. If people want to make stupid emotional decisions, then it's time to let them. No actually, it's time to encourage them because it means I will have fewer serious competitors of the competition hamstring themselves with ill-informed emotional decisions.
They're pleading for donations. Are you comfortable being the sole donor, too?
Re: (Score:2)
In the wake of the OpenSSL bug, many people were questioning open source in general, saying (not rightfully, but saying nonetheless) that the Heartbleed bug was caused by a bunch of amateur volunteers. i.e. open source is not developed by professionals
Except you're right, it was caused by half-assing what was supposed to be a good feature, because the programmers decided they would just stop and come back to it later. But now we have *different* amateur volunteers working on it! Problem solved!
Re: (Score:2)
I don't think they care about how their font is interpreted.
I think this is more like - we're busy actually fixing code and not going to hire a team of web designers to produce a web 2.0 dynamic social-media-hooked-into website with a few links and a bit of text.
Aha! (Score:3)
This. Seriously. People may not think that appearance is important, but it is. Comic Sans does not inspire confidence.
WEB HIPSTER DETECTED! ;)
Re: (Score:2)
You seem to have missed the line at the bottom...
The link to OpenSSL is funny too ;-)
Re: (Score:2)
Re: (Score:2)
I'd say it's puerile -- and a bit alarming, considering these people are building something so important to the continued health of the internet.
But it goes right along with the notion that they are not even considering helping the original OpenSSL project (one that they have benefited greatly from in the past) and instead simply forked it in order to do only work that benefits themselves. The "we will get around to multiplatform when the donations pour in" is about as pathetic as the "we will get around to fixing that vulnerability countermeasure code later" that caused Heartbleed in the first place. If Heartbleed didn't scare people away from Fr
Re: (Score:2)
they are not even considering helping the original OpenSSL project (one that they have benefited greatly from in the past) and instead simply forked it in order to do only work that benefits themselves.
so youre suggesting that the maintainers of OpenSSL would have gladly allowed some new kids on the block come in and remove over 200,000 lines of stuff ? and that the new kids on the block are being lame for not trying to do so?
I think this move kind of strikes to the heart of the benefits of opensource projects. When someone decides they want to go in a different direction, they can. This direction is clearly (judging by the nearly 100,000 lines of code removed) different than the one the OpenSSL team is o
Re: (Score:3)
Re: (Score:3)
Re: (Score:3)
Re: (Score:3, Informative)
They DO OpenSSH. And other projects: http://www.openbsdfoundation.org/
Re: (Score:2)
The OpenSSH security track record is excellent, almost perfect.
Re: (Score:2)
Did you screw up the config? That will get you rooted...
Otherwise, please supply a CVE number for the vulnerability responsible.
Re: (Score:2)
You did notice that "legacy" in the thing you quote? You can run OpenSSH with insecure settings or with protocol version 1.0. But if you use these you are supposed to look at the security trade-offs yourself. The thing is that it is not OpenSSH that is insecure here, it just allows you to shoot yourself in the foot after warning you.
LibreSystemd? (Score:3)
Mod parent Troll (Score:3)
How the fuck does this kind of trolling/tin-foil-hattery get to +5? The only "Interesting" thing about it is the apparent level of paranoia being experienced by gweihir. I mean, Red Hat as an NSA tool to Destroy Linux? Sure!
I get it, some folks hate systemd and everything Lennart does (and I'm not picking sides anymore), but the parent is just a smear job.
Re:Awesome! (Score:4, Insightful)
I look forward to new and interesting side-effects of the pell-mell rush to clean up the code of a poorly written, poorly maintained, and even more poorly documented software package!
more poorly documented than OpenSSL?
the OpenBSD team creates some of the best documentation out there.. it is one of their major accomplishments and clearly important to them.
if all they did were document it, openSSL would be better off for it.. they are forking it, improving the code and documenting it.
Of course, they arent gods, perhaps mistakes will be made.. but this team is known for producing high quality code and high quality documentation.. .. i think that you couldn't be any further from the mark with your flippant remark mr AC!