1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News Google forks OpenSSL into BoringSSL

Discussion in 'Article Discussion' started by Gareth Halfacree, 23 Jun 2014.

  1. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    13,377
    Likes Received:
    2,429
  2. Beasteh

    Beasteh New Member

    Joined:
    18 Feb 2012
    Posts:
    278
    Likes Received:
    10
    Mr Langley? As in home of the CIA? That's no coincidence!

    Seriously though, OpenSSL suffers because it's an open source project with a paltry budget. It isn't funded by the beneficiaries of the code - huge web companies that should really be giving something back to the service they rely on. It's a real embarrassment that the likes of Yahoo couldn't spare a few dollars to help fund security audits of the OpenSSL code.

    It's good to see at least one firm taking responsibility.
     
  3. yuusou

    yuusou Well-Known Member

    Joined:
    5 Nov 2006
    Posts:
    2,247
    Likes Received:
    398
    I wouldn't consider completely forking the code taking responsibility. It just means they're just another company that didn't finance OpenSSL or audits of it's code either. Nor have other giants (and smaller companies) that are dependent on this technology. Actually, as stated in the post, most of them were barely aware of OpenSSL until heartbleed (or Apple's gotos). It just means they'd rather dish out on their own variant.
     
  4. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    13,377
    Likes Received:
    2,429
    Actually, the Linux Foundation recently launched the Core Infrastructure Initiative which sees major-name companies putting money in a pot for the Foundation to dish out to important open-source projects - starting with OpenSSL, the Network Time Protocol and OpenSSH. You'd definitely recognise some of the names: Amazon, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware, Adobe, Bloomberg, HP, Huawei, salesforce.com... No Yahoo as far as I'm aware, though.
    See above: Google is one of the companies putting real cash money into the Core Infrastructure Initiative specifically to boost OpenSSL's security and code quality. It's also promised to continue to do so even as it works on its own BoringSSL fork.
    I would be very surprised if Google et al were "barely aware of OpenSSL;" the article is referring to end-users, none of whom had any reason to know the name of the library that provides cryptographic services to their operating system or application until headlines like "OPENSSL HEARTBLEED VULN WILL STEAL YOUR CHILDREN" hit the mainstream rags. Certainly, very few companies "dish out on their own variant;" building a secure cryptographic library is really hard. Look at OpenSSL: industry experts, open source, massive deployment, been running for years, and we're still finding gaping gert holes in the damn thing.
     
  5. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,918
    Likes Received:
    258
    Have you actually read the article ? BoringSSL was pretty much OpenSSL + Google patches, which has been rejected by OpenSSL. BoringSSL is now swithing to being a fork which includes Google patches, plus new commits from OpenSSL and LibreSSL unless there is a conflict.

    It is pretty much a process change only at Google, for SSL library used in Google products.

    Before :
    • Check out OpenSSL source code
    • Apply Google patches

    Now :
    • Check out BoringSSL source code
    • Apply new OpenSSL or LibreOffice commits (patches)
     
  6. Beasteh

    Beasteh New Member

    Joined:
    18 Feb 2012
    Posts:
    278
    Likes Received:
    10
    The active phrase there being "recently" - as per my original post, it's about time these companies supported the services they rely on.

    I don't doubt that donations of code and cash have taken place in the past, but it's better to see a consistent, concerted effort with proper funding (like an in-house product might get). Of course, it could all go horribly wrong if each firm tries to pull in separate directions...
     

Share This Page