Discussion in 'Article Discussion' started by Gareth Halfacree, 23 Jun 2014.
Hopes for no nasty surprises.
Mr Langley? As in home of the CIA? That's no coincidence!
Seriously though, OpenSSL suffers because it's an open source project with a paltry budget. It isn't funded by the beneficiaries of the code - huge web companies that should really be giving something back to the service they rely on. It's a real embarrassment that the likes of Yahoo couldn't spare a few dollars to help fund security audits of the OpenSSL code.
It's good to see at least one firm taking responsibility.
I wouldn't consider completely forking the code taking responsibility. It just means they're just another company that didn't finance OpenSSL or audits of it's code either. Nor have other giants (and smaller companies) that are dependent on this technology. Actually, as stated in the post, most of them were barely aware of OpenSSL until heartbleed (or Apple's gotos). It just means they'd rather dish out on their own variant.
Actually, the Linux Foundation recently launched the Core Infrastructure Initiative which sees major-name companies putting money in a pot for the Foundation to dish out to important open-source projects - starting with OpenSSL, the Network Time Protocol and OpenSSH. You'd definitely recognise some of the names: Amazon, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware, Adobe, Bloomberg, HP, Huawei, salesforce.com... No Yahoo as far as I'm aware, though.
See above: Google is one of the companies putting real cash money into the Core Infrastructure Initiative specifically to boost OpenSSL's security and code quality. It's also promised to continue to do so even as it works on its own BoringSSL fork.
I would be very surprised if Google et al were "barely aware of OpenSSL;" the article is referring to end-users, none of whom had any reason to know the name of the library that provides cryptographic services to their operating system or application until headlines like "OPENSSL HEARTBLEED VULN WILL STEAL YOUR CHILDREN" hit the mainstream rags. Certainly, very few companies "dish out on their own variant;" building a secure cryptographic library is really hard. Look at OpenSSL: industry experts, open source, massive deployment, been running for years, and we're still finding gaping gert holes in the damn thing.
Have you actually read the article ? BoringSSL was pretty much OpenSSL + Google patches, which has been rejected by OpenSSL. BoringSSL is now swithing to being a fork which includes Google patches, plus new commits from OpenSSL and LibreSSL unless there is a conflict.
It is pretty much a process change only at Google, for SSL library used in Google products.
Check out OpenSSL source code
Apply Google patches
Check out BoringSSL source code
Apply new OpenSSL or LibreOffice commits (patches)
The active phrase there being "recently" - as per my original post, it's about time these companies supported the services they rely on.
I don't doubt that donations of code and cash have taken place in the past, but it's better to see a consistent, concerted effort with proper funding (like an in-house product might get). Of course, it could all go horribly wrong if each firm tries to pull in separate directions...
Separate names with a comma.