1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Google forks OpenSSL into BoringSSL

Discussion in 'Article Discussion' started by Gareth Halfacree, 23 Jun 2014.

  1. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,130
    Likes Received:
    6,719
    Gareth Halfacree, 23 Jun 2014
    #1
  2. Beasteh

    Beasteh What's a Dremel?

    Joined:
    18 Feb 2012
    Posts:
    278
    Likes Received:
    10
    Mr Langley? As in home of the CIA? That's no coincidence!

    Seriously though, OpenSSL suffers because it's an open source project with a paltry budget. It isn't funded by the beneficiaries of the code - huge web companies that should really be giving something back to the service they rely on. It's a real embarrassment that the likes of Yahoo couldn't spare a few dollars to help fund security audits of the OpenSSL code.

    It's good to see at least one firm taking responsibility.
     
    Beasteh, 23 Jun 2014
    #2
  3. yuusou

    yuusou Multimodder

    Joined:
    5 Nov 2006
    Posts:
    2,878
    Likes Received:
    955
    I wouldn't consider completely forking the code taking responsibility. It just means they're just another company that didn't finance OpenSSL or audits of it's code either. Nor have other giants (and smaller companies) that are dependent on this technology. Actually, as stated in the post, most of them were barely aware of OpenSSL until heartbleed (or Apple's gotos). It just means they'd rather dish out on their own variant.
     
    yuusou, 23 Jun 2014
    #3
  4. Gareth Halfacree

    Gareth Halfacree WIIGII! Lover of bit-tech Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    17,130
    Likes Received:
    6,719
    Actually, the Linux Foundation recently launched the Core Infrastructure Initiative which sees major-name companies putting money in a pot for the Foundation to dish out to important open-source projects - starting with OpenSSL, the Network Time Protocol and OpenSSH. You'd definitely recognise some of the names: Amazon, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware, Adobe, Bloomberg, HP, Huawei, salesforce.com... No Yahoo as far as I'm aware, though.
    See above: Google is one of the companies putting real cash money into the Core Infrastructure Initiative specifically to boost OpenSSL's security and code quality. It's also promised to continue to do so even as it works on its own BoringSSL fork.
    I would be very surprised if Google et al were "barely aware of OpenSSL;" the article is referring to end-users, none of whom had any reason to know the name of the library that provides cryptographic services to their operating system or application until headlines like "OPENSSL HEARTBLEED VULN WILL STEAL YOUR CHILDREN" hit the mainstream rags. Certainly, very few companies "dish out on their own variant;" building a secure cryptographic library is really hard. Look at OpenSSL: industry experts, open source, massive deployment, been running for years, and we're still finding gaping gert holes in the damn thing.
     
    Gareth Halfacree, 24 Jun 2014
    #4
  5. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,953
    Likes Received:
    270
    Have you actually read the article ? BoringSSL was pretty much OpenSSL + Google patches, which has been rejected by OpenSSL. BoringSSL is now swithing to being a fork which includes Google patches, plus new commits from OpenSSL and LibreSSL unless there is a conflict.

    It is pretty much a process change only at Google, for SSL library used in Google products.

    Before :
    • Check out OpenSSL source code
    • Apply Google patches

    Now :
    • Check out BoringSSL source code
    • Apply new OpenSSL or LibreOffice commits (patches)
     
    faugusztin, 24 Jun 2014
    #5
  6. Beasteh

    Beasteh What's a Dremel?

    Joined:
    18 Feb 2012
    Posts:
    278
    Likes Received:
    10
    The active phrase there being "recently" - as per my original post, it's about time these companies supported the services they rely on.

    I don't doubt that donations of code and cash have taken place in the past, but it's better to see a consistent, concerted effort with proper funding (like an in-house product might get). Of course, it could all go horribly wrong if each firm tries to pull in separate directions...
     
    Beasteh, 24 Jun 2014
    #6
Tags: Edit

Share This Page