OpenSSL Fork

[overmind]

This is few days old but in case you did not heard of here it is the news:

http://arstechnica.com/information-...eyond-repair-claims-creator-of-libressl-fork/

 

[kpa]

I do remember one of the FreeBSD developers calling OpenSSL a result of a typical graduate student programming project that can not be called quality software by any measure (or something to that effect). I'm really pessimistic if this new fork would do any better.

 

[worldi]

There's a website where you can follow the progress they make: http://opensslrampage.org/

Their commit messages are hilarious. The most cynical stuff I've read in a while. §e

I'm really pessimistic if this new fork would do any better.

Once they are done it'll have a similar quality as the rest of the OpenBSD stuff. I'm very optimistic.

 

[SirDice]

Well, I think it's a good thing. Certainly the removal of support for all the old operating systems that should have been removed a long time ago. I'm sure in due time we'll get a nice port for LibreSSL too

 

[da1]

I think nothing but good things will eventually emerge from the hands of the OpenBSD guys.

PS: http://www.libressl.org/

 

[tzoi516]

I think good will come of it too, and it will be well documented.

I like this at the bottom of the LibreSSL website:

This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags

 

[Deleted member 13721]

The OpenBSD guys can be trusted to do a good job. I think they will do well.

 

[kpedersen]

Yeah, whilst the majority of the open-source community is spending almost all their resources on reinventing the wheel with desktop environments, it is nice to see the OpenBSD guys doing something genuinly useful (and difficult).

Based on how OpenBSD maintains the portable version of OpenSSH, the LibreSSL fork will definitely be a great benefit to everyone

 

[NewGuy]

While I am sure the OpenBSD developers are capable of creating quality code, I am worried about their social skills. Look at the website they set up, which is intentionally annoying and hard to read. Look at the cynical comments they are making in their commits. Look at all the cross-platform code they are ripping out, with the claim they will add it back later if they get enough money. These are not actions made by mature people and it makes me wonder if any other projects (outside OpenBSD) will be willing to work with them to port LibreSSL to other platforms.

They shouldn't be pointing fingers at the OpenSSL devs (no one should). We all used the OpenSSL library for years without thinking about it, complaining or offering to help fix the code and documentation. We were all passive and Heartbleed was the result. The OpenSSL dvs had almost no budget or help. So, yeah, the codebase was in hard shape, but that is as much our fault (the open source community's) as theirs.

I'm more interested in the work proposed by The Linux Foundation and their group, which looks to work with the OpenSSL devs to audit and fix the existing code. This should avoid any huge changes and maintain cross-platform compatibility, two things the OpenBSD developers are not interested in.

 

[kpa]

I'm with @NewGuy on this one. From the looks of it the LibreSSL guys are establishing themselves as hostile competitors to OpenSSL with no intention at all of contributing back their findings of what is wrong with OpenSSL. If that is what they are about then I see no future for them.

 

[protocelt]

I think OpenSSL is such a core piece of the Internet right now that developer attitudes are not entirely relevant at this point. I have absolutely no reservations that the quality of code the LibreSSL developers put out will be of top quality. I agree however that it remains to be seen if the project will be willing to work with anyone else regarding bugs/features which is of obvious necessity if the code is to be used outside the OpenBSD project.

 

[worldi]

it makes me wonder if any other projects (outside OpenBSD) will be willing to work with them to port LibreSSL to other platforms.

Take a look at this list. Most of their stuff (most notably OpenSSH) works just fine on other plattforms.

They shouldn't be pointing fingers at the OpenSSL devs (no one should).

I disagree. Both the guy who sent the patch which contained the bug as well as the OpenSSL team member who waved it through (on a 1st of January!) are to blame here. They fscked up royally and deserve to have fingers pointed at them. Irresponsibility must not go unpunished.

We were all passive and Heartbleed was the result.

Well, we'd been better off if the guy who introduced the bug (and who is also the co-author of the heartbeat extension which contained it) had been passive. He neither was nor is a member of the OpenSSL team.

The OpenSSL devs had almost no budget or help. So, yeah, the codebase was in hard shape, but that is as much our fault (the open source community's) as theirs.

The OpenBSD project does not have much money either but somehow these guys manage to come up with good code. The problem isn't money, but attitude.

This should avoid any huge changes and maintain cross-platform compatibility, two things the OpenBSD developers are not interested in.

Huge changes are exactly what's needed, OpenSSL is literally FUBAR. I bet there are a couple of other interesting bugs to be found this code. And porting LibreSSL to other Unices will probably be quite easy.

 

[tzoi516]

It's a fork.

Who placed the burden of OpenSSL on their backs? They also said they are coding their OpenSSL fork for OpenBSD, so why can't the developers do it the way they do everything else related to OpenBSD? It's no secret how snarky they can get. Especially for people who are developing free software.

As for the notes ... I'm happy knowing a bunch of good developers are informing people how poor the original coding was, and that they're taking a really good look at the entire code.

 

[drhowarddrfine]

I disagree. Both the guy who sent the patch which contained the bug as well as the OpenSSL team member who waved it through (on a 1st of January!) are to blame here.

This is true but I can't help think that this is almost like someone had a slip of the finger, created a typo, and it got through. If it weren't for that, none of this uproar would have happened. Which makes me wonder why, if the code is so bad, nothing was done sooner and, all of a sudden, great masses of people are changing things. If it was good enough before, why wasn't it good enough before now?

So I guess the good in this is that, if the code really is in such bad shape, it will be fixed now but you have to wonder how good it will be if they're in such a rush to rewrite it now.

 

[Beastie]

The typical solution for big business? Throw money at a problem and hope for the best.

However, the problem here is not financial, but technical (at least mostly).

• These people have implemented useless and dangerous features.
• For too many years, they have been ignoring patches contributed by many people all around the world; sometimes more than one patch for the same bug.
• They have kept literally tens of thousands of lines of dead code and obsolete code.
• And last but not least they have made criminally irresponsible programming errors (1, 2) you'd only expect coming from sloppy fresh graduates. This blog may be written by an OpenBSD developer and one of the main developers of the LibreSSL fork, but facts are facts.

OpenSSL is ubiquitous and crucial. If these guys are incapable of developing proper code and maintaining it, then they should let more competent people do so.
Heartbleed is the tip of the iceberg. Who knows how many other bugs are hiding under that thick layer of crap!

If it was good enough before, why wasn't it good enough before now?

It was crap all along. PHK and Theo de Raadt can't both be wrong.

you have to wonder how good it will be if they're in such a rush to rewrite it now.

So far, they've mostly been making the code more readable by reformatting it to conform to KNF and removing useless parts.
Readable code is the priority right now. That alone will make the process of rewriting easier and will contribute to a higher code quality.

 

[NewGuy]

OpenSSL is ubiquitous and crucial. If these guys are incapable of developing proper code and maintaining it, then they should let more competent people do so.

Nobody was ever stopping the rest of the world from auditing the code or trying to implment the same functionality. It is not like the few OpenSSL developers had a monopoly on cryptograph software. The fact is, everyone used their implementation and didn't care about the quality of the code or the documentation until about a month ago. For years and years everyone happily used the OpenSSL project, no one bothered to improve it or try writing a suitable replacement. If they had maybe we wouldn't be facing this problem.

Yes, a small amount of blame rests on the OpenSSL developers who make some coding mistakes, but everyone else went along with them for years, happy to ignore potential problems, happy to take the code as-is without any audits.

Comments like the one quoted above show what the real issue is: the desire to assign blame to someone else rather than offer a helping hand.

 

[obsigna]

OpenSSL is ubiquitous and crucial. If these guys are incapable of developing proper code and maintaining it, then they should let more competent people do so.

...
Comments like the one quoted above show what the real issue is: the desire to assign blame to someone else rather than offer a helping hand.

I am with @NewGuy. I would like to remember that other SSL libraries (SecureTransport and GnuTLS) had from a coding point of view to fix even more blaming bugs quite recently. I also would like to remember that there is much more behind cryptography than pure coding craftwork, and the big mouthes everywhere around have still to prove that ugly code formatting is an indication for bad cryptography - not to tell that the distinction between ugly and pretty is basically a matter of taste.

Many people tend to throw out the baby with the bath water.

 

[Beastie]

Comments like the one quoted above show what the real issue is: the desire to assign blame to someone else rather than offer a helping hand.

Sure go ahead, quote things out of context and ignore the rest of the post, like the part where I mention the fact that many contributed patches have been rotting in the queue for many years.

OpenSSL is past the stage where it should be offered "a helping hand". The LibreSSL fork is all it should be offered. They saw it coming.

I'll leave it at that.

 

[arp242]

We all used the OpenSSL library for years without thinking about it, complaining or offering to help fix the code and documentation. We were all passive and Heartbleed was the result. The OpenSSL dvs had almost no budget or help. So, yeah, the codebase was in hard shape, but that is as much our fault (the open source community's) as theirs.

No.

- Many, *MANY* people have complained about OpenSSL for a long time.
- Lack of funding is NOT an excuse to write a) buggy code which b) no one asked for for which c) there was no deadline, then d) enable it by default, e) making it impossible to disable without a recompile, f) even though no one this feature, anyway.
- OpenSSL does not really have a lack of funding. It raked in about $1M last year, which is not bad IMHO.
- Even if they did have a lack of funding, the OpenSSL people were pretty passive about it. Did you ever see an OpenSSL fund-raiser? I didn't. Making comments such as "I'm surprised this doesn't happen more often" (from the OpenSSL dev who implemented heartbeat!) show a complete lack of responsibility and even apathy.

The OpenBSD people may not be perfect, but at least they produce pretty good systems most of the time.

 

[hitest]

The OpenBSD people may not be perfect, but at least they produce pretty good systems most of the time.

Indeed. :h

 

[phoenix]

OpenSSL is ubiquitous and crucial. If these guys are incapable of developing proper code and maintaining it, then they should let more competent people do so.

Nobody was ever stopping the rest of the world from auditing the code or trying to implment the same functionality. It is not like the few OpenSSL developers had a monopoly on cryptograph software. The fact is, everyone used their implementation and didn't care about the quality of the code or the documentation until about a month ago.

Not true. People have been complaining for years about how bad the code and documentation is, and many people have submitted patches to improve it .... only to have the OpenSSL project not integrate the patches. And many people who have tried to improve things have given up because nothing they submit gets touched.