News OpenSSL forked into LibreSSL

Discussion in 'Article Discussion' started by Gareth Halfacree, 23 Apr 2014.

  1. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    9,337
    Likes Received:
    287
  2. Flibblebot

    Flibblebot Smile with me

    Joined:
    19 Apr 2005
    Posts:
    4,583
    Likes Received:
    129
    I read son Gizmodo this morning that the team has removed 90,000 lines of unused code in the last week - if that's true, then OpenSSL has been appallingly managed for something which so much of the Internet relies on for security.
     
  3. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,747
    Likes Received:
    236
    Well that is Gizmodo for you. They removed support for any other platform other than OpenBSD, plus of course they removed some older tech (SSLv2 etc). Sure if you take some library and cut out 90% of the other platform support, you can easily cut out tons of code :).
     
  4. r3loaded

    r3loaded Well-Known Member

    Joined:
    25 Jul 2010
    Posts:
    1,095
    Likes Received:
    31
    Maybe if the billion-dollar companies who rely on such a critical library for free contributed back some cash, code fixes or just some advice, we wouldn't have had this situation in the first place.
     
  5. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,747
    Likes Received:
    236
    "Last year, the foundation took in less than $1 million from donations and consulting contracts." While i know the big companies should have given more, cash is clearly not the problem here.
     
  6. Corky42

    Corky42 What did walle eat for breakfast?

    Joined:
    30 Oct 2012
    Posts:
    7,550
    Likes Received:
    88
    Would you happen to have details on their income ?
    I ask because from what i read it seems the president of the OpenSSL Foundation, Steve Marquess claims they take in less than $2000 a year in outright donations and sells commercial software support contracts.
    In fact he goes onto say, 'The media have noted that in the five years since it was created OSF has never taken in over $1 million in gross revenues annually.'

    He then goes onto say...http://veridicalsystems.com/blog/of-money-responsibility-and-pride/
     
  7. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,747
    Likes Received:
    236
    Last edited: 23 Apr 2014
  8. Phil Rhodes

    Phil Rhodes Hypernobber

    Joined:
    27 Jul 2006
    Posts:
    1,415
    Likes Received:
    10
    I hate to pander to popular prejudice here, but what this does do is poke some very big holes in the utopian dream of open source software.

    Whatever the reasons for underfunding and poor engineering, crap management is absolutely endemic in open source software. Mob rule and anarchy doesn't work very well, as this incident shows.

    I've been banging on for years that bad management, or more to the point just no real management at all, the single biggest problem facing open source software, for dozens of reasons, and nobody gets it.

    P
     
  9. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,747
    Likes Received:
    236
  10. Corky42

    Corky42 What did walle eat for breakfast?

    Joined:
    30 Oct 2012
    Posts:
    7,550
    Likes Received:
    88
    Hmm, who to believe.
    Matthew Green, an encryption expert at Johns Hopkins University, or Steve Marquess the president of the OpenSSL Foundation.
     
  11. RTT

    RTT #parp

    Joined:
    12 Mar 2001
    Posts:
    14,105
    Likes Received:
    68
    90k lines of code is nothing in such a project, I wouldn't read too much into that. For example, Google dropped 9M lines of code out of Chrome/Webkit once they forked it to Blink by dropping code for archs that Webkit supported but which Chrome didn't need to - so they could just be removing code for other architectures, seeing as openssl is compileable on almost anything.

    edit: :duh: that's exactly what it was :D
     
  12. Guinevere

    Guinevere Mega Mom

    Joined:
    8 May 2010
    Posts:
    2,413
    Likes Received:
    147
    90k less lines is still 90k less lines. If those 90k lines of code were truly not needed by ANY platform that they claim to support they should have been removed.

    Leaving in legacy code because 'well you know - busy' doesn't cut it when you're charging commercial clients for the code or to support the code.

    But...

    This wouldn't have solved heart bleed, and I feel very uneasy about another fork. I don't trust their reasoning to split against working on the same codebase and their website is simply a joke.

    They are trying to instil more trust in SSL code and failing at it so far. IMHO.
     
  13. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,747
    Likes Received:
    236
    It is not 90k lines not needed for OpenSSL in general. Most of it is not needed for LibreSSL running ONLY on OpenBSD. OpenSSL runs on Linux. LibreSSL doesn't. OpenSSL runs on Windows. LibreSSL doesn't. Removing 90k lines to strip the code base of Linux or Windows compatibility is not a source code optimization, nor has anything with security whatsoever.
     
  14. Corky42

    Corky42 What did walle eat for breakfast?

    Joined:
    30 Oct 2012
    Posts:
    7,550
    Likes Received:
    88
    Charging for open source code, since when did that happen ?
    Charging to support the code, i think that maybe a grey area.

    Yes they offer Support Contract's but the money from those all goes to the people directly providing the technical support services and to current active OpenSSL team members.

    IMO The OpenSSL Software Foundation has been severely underfunded. Whether that is down to bad management when it came to acquiring funding, or the lack of support from the larger community is difficult to know. Although looking on the OpenSSL web site at who has helped fund the project shows a very small list of just four companies, i personally would have expected that list to be filled with some notable names.
     
  15. jb0

    jb0 Member

    Joined:
    8 Apr 2012
    Posts:
    207
    Likes Received:
    4
    *talk about removing lines by removing platform support*

    Let's not forget that one of the supported platforms OpenBSD removed was big-endian x86.

    Note: the x86 family is little-endian.
    Note: it's not actually POSSIBLE to make a processor that is both big-endian and x86-compatible.

    It takes a certain kind of special to implement support for an imaginary mirror-universe version of one of the most ubiquitous processor architectures in the world and insist there's actually a reason for this to exist.
    Whatever their programmers were smoking, I want some of it.
     
  16. faugusztin

    faugusztin I *am* the guy with two left hands

    Joined:
    11 Aug 2008
    Posts:
    6,747
    Likes Received:
    236
    They removed everything but OpenBSD.
     
  17. Flibblebot

    Flibblebot Smile with me

    Joined:
    19 Apr 2005
    Posts:
    4,583
    Likes Received:
    129
    What's the issue with only supporting OpenBSD at the moment? On their website, they state:
    Surely it's better to strip back to one system, make sure that's as stable and bug-free as possible, then extend to other systems? LibreSSL is, after all, part of the OpenBSD project, so it makes sense that they would support that first.

    Unless, of course, you're worried about further forks by other teams to support their own preferred OS, leading to a whole different mish-mash of OpenSSL interpretations?
     
  18. Thawn

    Thawn New Member

    Joined:
    12 Nov 2013
    Posts:
    26
    Likes Received:
    2
    What surprises me is that giant companies like Google and Facebook that apparently use OpenSSL to secure their services weren't doing their own audits. If you are that big and well resourced, and are relying for critical security functionality on an external project, shouldn't you be putting some effort into ascertaining that the external project is actually providing you with security?

    Ideally the big guns would collaborate on this, or perhaps put the resources into ensuring the OpenSSL foundation was up to the job, but in lieu of either of those things surely they should at least be doing some rigorous internal testing and code audits?
     
  19. dinoscothern

    dinoscothern Member

    Joined:
    16 Aug 2010
    Posts:
    126
    Likes Received:
    0
    A distribution contains a lot of packages. Thats a lot of lines of code. One of the perceived 'benefits' of open source is that an organisation/individual can take advantage of that prior work (they don't have to reinvent the wheel) and reduce their costs. As more machines use that software the consequence of mistakes/poor design decisions in building that sw has a greater effect. The fact that this problem was discovered (even after two years is better than none) shows that companies are (gradually) realising that they have responsibilities to contibute/maintain that body of code (or pay someone else to do so).
     

Share This Page