Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Not Just a Cleanup Any More: LibreSSL Project Announced

timothy posted about 5 months ago | from the they'd-like-some-beer-money dept.

Security 360

An anonymous reader writes "As some of you may know, the OpenBSD team has started cleaning up the OpenSSL code base. LibreSSL is primarily developed by the OpenBSD Project, and its first inclusion into an operating system will be in OpenBSD 5.6. In the wake of Heartbleed, the OpenBSD group is creating a simpler, cleaner version of the dominant OpenSSL. Theo de Raadt, founder and leader of OpenBSD and OpenSSH, tells ZDNet that the project has already removed 90,000 lines of C code and 150,000 lines of content. The project further promises multi-OS support once they have proper funding and the right portability team in place. Please consider donating to support LibreSSL via the OpenBSD foundation."

cancel ×

360 comments

Sorry! There are no comments related to the filter you selected.

Please change the name! (3, Informative)

cmdrbuzz (681767) | about 5 months ago | (#46813981)

LibreSSL.... Please for the love of code, change the name!

Re:Please change the name! (4, Funny)

TheGratefulNet (143330) | about 5 months ago | (#46814013)

libwressle.so - will be here, sunday, Sunday, SUNDAY!!

Re:Please change the name! (1)

gl4ss (559668) | about 5 months ago | (#46814183)

nothing to do with wrestling but it sounds like it has something to do with certain kind of "monthlies".

Re:Please change the name! (1)

Anonymous Coward | about 5 months ago | (#46814437)

I thought he was making fun of Chekov...

Re:Please change the name! (1)

K. S. Kyosuke (729550) | about 5 months ago | (#46814979)

Based on my superior knowledge of Indo-European etymology, I assert that the name means that this implementation will be able to take on some extra pounding from the attackers.

Re:Please change the name! (0)

Anonymous Coward | about 5 months ago | (#46814021)

This a thousand times over.

Re:Please change the name! (1)

YoungManKlaus (2773165) | about 5 months ago | (#46814111)

just abbrevate it ... LSSL does not sound that bad to me :)

Re:Please change the name! (3, Funny)

Anonymous Coward | about 5 months ago | (#46814167)

I think LeSSL would sound better since they are reducing the code base by so much

Re:Please change the name! (0)

Anonymous Coward | about 5 months ago | (#46814309)

I dunno... I've always felt that SSL is a female. LaSSL?

Re:Please change the name! (0)

Anonymous Coward | about 5 months ago | (#46814169)

Yes. :P

Sounds abit like Libresse.

Re:Please change the name! (1)

KermodeBear (738243) | about 5 months ago | (#46814219)

Could not agree more. Sticking Libre! on the front of everything is getting annoying.

Re:Please change the name! (1)

Anonymous Coward | about 5 months ago | (#46814275)

Agreed!

CleanSSL is already better than Libre lol (even if it's still annoying)

Re:Please change the name! (0)

Anonymous Coward | about 5 months ago | (#46814345)

The problem is that non-Americans don't realize that the average American will pronounce it as "libber SSL" and "libber office", and then when you correct them, they will laugh at you, not at themselves.

Re:Please change the name! (2)

Mitchell314 (1576581) | about 5 months ago | (#46814697)

It's the british that use '-re' to sound like 'er'. My guess is that most americans have heard spanish long enough to link '-re' to sound like 'ay'. And have heard canadians long enough to put an 'ay' at the end of any word anyways. :P

Re:Please change the name! (0)

Anonymous Coward | about 5 months ago | (#46814783)

it sounds like eh more than ay...making it sound like ay is what makes an english speaker sound funny when speaking spanish

Re:Please change the name! (1)

dave420 (699308) | about 5 months ago | (#46814921)

I'm pretty sure that's not correct - I've not heard any brits pronounce it that way. They would probably pronounce it as "rer", but not "er". "Leebrer", quite possibly, but never "liber".

Re:Please change the name! (0)

Anonymous Coward | about 5 months ago | (#46814703)

Yes, all of LibreOffice and LibreSSL. It's so annoying having a whole TWO projects starting with Libre.

Re:Please change the name! (0)

Anonymous Coward | about 5 months ago | (#46814989)

Off the top of my head there is also LibreWRT and libreswan.

Re:Please change the name! (0)

Anonymous Coward | about 5 months ago | (#46814333)

Can't we have FreiheitSSL?

They should have start a naming contest ... (2)

Taco Cowboy (5327) | about 5 months ago | (#46814393)

LibreSSL.... Please for the love of code, change the name!

I wish they would start a naming contest soon.

There ought to be _someone_ out there who can come up with some much better name than "LibreSSL" ...

Re:They should have start a naming contest ... (0)

Anonymous Coward | about 5 months ago | (#46814627)

FreeSSL? [/sarcasm]

Re:They should have start a naming contest ... (1)

Mitchell314 (1576581) | about 5 months ago | (#46814723)

gnuSSL? Although TLS should be supported, so maybe gnuTLS?

Re:They should have start a naming contest ... (0)

Anonymous Coward | about 5 months ago | (#46814789)

gnuSSL? Although TLS should be supported, so maybe gnuTLS?

Been there, done that [gnutls.org]

Re:Please change the name! (4, Insightful)

ThePhilips (752041) | about 5 months ago | (#46814597)

What is with this reaction of Americans to the French/Latin word "libre"?

Re:Please change the name! (1, Insightful)

Pieroxy (222434) | about 5 months ago | (#46814765)

It's not English nor does it has English roots, so they don't like it. It's simple really. You can apply that to many things Americans don't like.

Re:Please change the name! (3, Interesting)

ThePhilips (752041) | about 5 months ago | (#46814897)

And yet Americans like the work "liberty". Civil liberties. Statue of liberty. And so on. That is simply inexplicable.

Libre is the new Open (0)

Anonymous Coward | about 5 months ago | (#46814661)

How about going retro with iSSL or eSSL? Or maybe xSSL - X's are always cool.

Slow clap (1)

isa-kuruption (317695) | about 5 months ago | (#46813985)

'Nuff said

Can they do OpenSSH too? (-1)

Anonymous Coward | about 5 months ago | (#46814001)

The source code in OpenSSH is as bad as OpenSSL. Convoluted and crazy as hell, to the point of being unmaintainable.

Perfect for more bugs like Heartbleed to hide in.

Re:Can they do OpenSSH too? (3, Informative)

Anonymous Coward | about 5 months ago | (#46814129)

They DO OpenSSH. And other projects: http://www.openbsdfoundation.org/

Re:Can they do OpenSSH too? (0)

Anonymous Coward | about 5 months ago | (#46814421)

OpenSSH is written in C, but I guess that's too complex for you. It is considered, by many held in high regards, to be "beautiful" code.

Awesome! (0)

Anonymous Coward | about 5 months ago | (#46814017)

I look forward to new and interesting side-effects of the pell-mell rush to clean up the code of a poorly written, poorly maintained, and even more poorly documented software package!

Re:Awesome! (1)

BreakBad (2955249) | about 5 months ago | (#46814331)

Maybe not as pell-mell as it is opportunistic.

Graphic design geniuses too (-1, Troll)

benjfowler (239527) | about 5 months ago | (#46814025)

Comic Sans.

That looks professional.

Re:Graphic design geniuses too (2)

marcello_dl (667940) | about 5 months ago | (#46814063)

They never claimed they were.

Re:Graphic design geniuses too (5, Informative)

Anonymous Coward | about 5 months ago | (#46814067)

There's something at the bottom of the page.

"This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags"

Re:Graphic design geniuses too (2)

QilessQi (2044624) | about 5 months ago | (#46814093)

This. Seriously. People may not think that appearance is important, but it is. Comic Sans does not inspire confidence.

Re:Graphic design geniuses too (2)

Threni (635302) | about 5 months ago | (#46814121)

Who thinks it's important? Who'll decide to switch or not based on a font on a website? Why?

Re:Graphic design geniuses too (4, Insightful)

Missing.Matter (1845576) | about 5 months ago | (#46814235)

Typefaces by their nature are designed to convey a specific emotions. It's the whole reason we don't simply convey written information in one fixed typeface; some are more appropriate than others given the situation.

Comic Sans in particular is designed to imitate comic book lettering. It's not particularly professional. In the wake of the OpenSSL bug, many people were questioning open source in general, saying (not rightfully, but saying nonetheless) that the Heartbleed bug was caused by a bunch of amateur volunteers. i.e. open source is not developed by professionals. Comic Sans doesn't exactly inspire confidence for people who now view the open source development model as dubious.

Re:Graphic design geniuses too (2)

serviscope_minor (664417) | about 5 months ago | (#46814311)

Comic Sans doesn't exactly inspire confidence for people who now view the open source development model as dubious.

Maybe in 2000, I would have cared but no longer. OSS is very well established and is in plenty of cases the leading option. If people want to make stupid emotional decisions, then it's time to let them. No actually, it's time to encourage them because it means I will have fewer serious competitors of the competition hamstring themselves with ill-informed emotional decisions.

Re:Graphic design geniuses too (2)

jeffmeden (135043) | about 5 months ago | (#46814373)

Comic Sans doesn't exactly inspire confidence for people who now view the open source development model as dubious.

Maybe in 2000, I would have cared but no longer. OSS is very well established and is in plenty of cases the leading option. If people want to make stupid emotional decisions, then it's time to let them. No actually, it's time to encourage them because it means I will have fewer serious competitors of the competition hamstring themselves with ill-informed emotional decisions.

They're pleading for donations. Are you comfortable being the sole donor, too?

Re:Graphic design geniuses too (0)

Anonymous Coward | about 5 months ago | (#46814725)

You honestly think there will only be one donor to the OpenBSD project? The fuck

Re:Graphic design geniuses too (1)

jeffmeden (135043) | about 5 months ago | (#46814365)

In the wake of the OpenSSL bug, many people were questioning open source in general, saying (not rightfully, but saying nonetheless) that the Heartbleed bug was caused by a bunch of amateur volunteers. i.e. open source is not developed by professionals

Except you're right, it was caused by half-assing what was supposed to be a good feature, because the programmers decided they would just stop and come back to it later. But now we have *different* amateur volunteers working on it! Problem solved!

Re:Graphic design geniuses too (0)

Anonymous Coward | about 5 months ago | (#46814227)

If You want a confidence audit the code.

Re:Graphic design geniuses too (0)

Anonymous Coward | about 5 months ago | (#46814483)

Good marketing is what separates open-source software from the closed-source, shrink wrap sector.

Re:Graphic design geniuses too (0)

Anonymous Coward | about 5 months ago | (#46814097)

It put ME in a better mood and so I donated even more. I'd say it's genius!

CAPTCHA: patrons

Re:Graphic design geniuses too (1)

benjfowler (239527) | about 5 months ago | (#46814127)

I'd say it's puerile -- and a bit alarming, considering these people are building something so important to the continued health of the internet.

Re:Graphic design geniuses too (1)

jeffmeden (135043) | about 5 months ago | (#46814397)

I'd say it's puerile -- and a bit alarming, considering these people are building something so important to the continued health of the internet.

But it goes right along with the notion that they are not even considering helping the original OpenSSL project (one that they have benefited greatly from in the past) and instead simply forked it in order to do only work that benefits themselves. The "we will get around to multiplatform when the donations pour in" is about as pathetic as the "we will get around to fixing that vulnerability countermeasure code later" that caused Heartbleed in the first place. If Heartbleed didn't scare people away from Free/Open Source software, then this surely will. Mission accomplished, Theo!

Re:Graphic design geniuses too (0)

Dog-Cow (21281) | about 5 months ago | (#46814507)

And your post goes right along with the notion that Slashdot is filled with shitheads.

Re:Graphic design geniuses too (-1)

Anonymous Coward | about 5 months ago | (#46814159)

From site: This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags

Re:Graphic design geniuses too (0)

Anonymous Coward | about 5 months ago | (#46814161)

Comic Sans.

That looks professional.

"This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags"

Har har...

Re:Graphic design geniuses too (0, Redundant)

Huntr (951770) | about 5 months ago | (#46814163)

Helpful disclaimer at bottom of that page:

This page scientifically designed to annoy web hipsters. Donate now [openbsdfoundation.org] to stop the Comic Sans and Blink Tags.

Re:Graphic design geniuses too (0)

Anonymous Coward | about 5 months ago | (#46814383)

wow, thought you were kidding.

Re:Graphic design geniuses too (1)

Anonymous Coward | about 5 months ago | (#46814463)

They were kind enough to prepare their snark for you in advance.

At the moment we are too busy deleting and rewriting code to make a decent web page. No we don't want help making web pages, thank you.

Re:Graphic design geniuses too (0)

the_cosmocat (1009803) | about 5 months ago | (#46814485)

Footer : "This page scientifically designed to annoy web hipsters. Donate now to stop the Comic Sans and Blink Tags"

Re:Graphic design geniuses too (0)

Anonymous Coward | about 5 months ago | (#46814901)

Congratulations, you are officially a web hipster.

Or.. (1)

bytesex (112972) | about 5 months ago | (#46814031)

you use polarssl. Which is already exactly that.

Re:Or.. (0, Troll)

bluefoxlucid (723572) | about 5 months ago | (#46814051)

It's not about a better OpenSSL. It's about OpenBSD waving its penis around. That's all it is. The OpenSSL team is amenable to aid; but they have two developers and no help. OpenBSD is essentially holding OpenSSL hostage by making their own version, not contributing back, and making it OS-specific to OpenBSD unless you give them money to make it not.

This will ultimately end in a lot of additional wasted effort to undo the damage OpenBSD is doing to LibreSSL so that the code can be ported back into OpenSSL proper, rather than investing slightly more effort in the first pass to do it right and not having a hefty second pass where they need to identify why it doesn't work on Linux/FreeBSDlWindows and then undo some of the things they did.

Re:Or.. (1, Insightful)

Dancindan84 (1056246) | about 5 months ago | (#46814141)

That's what I was wondering. The summary is a little vague, and I didn't really get a whole lot of clarity reading the articles as to whether OpenBSD was cleaning up OpenSSL and forking it to LibreSSL, or just cleaning up the code AS they forked it to LibreSSL. It seems like the latter, and if they're not contributing back and keeping LibreSSL OpenBSD only (at least initially), they're solving a problem less than 1% of us are having rather than helping a whole lot more.

I'd much rather see the OpenSSL project itself get cleaned up (or forked/restarted for "everyone" if the code needs more than cleanup) than have it forked and cleaned up for JUST an OpenBSD implementation.

Re:Or.. (0)

Anonymous Coward | about 5 months ago | (#46814531)

they're solving a problem less than 1% of us are having rather than helping a whole lot more.

Well, they solved another problem once alreay and we ended up with OpenSSH, so I'm not worried about that (OpenSSH which *is* an OpenBSD project, as opposed to OpenSSL that people seemed to get so confused about lately)

Re:Or.. (1)

aliquis (678370) | about 5 months ago | (#46814805)

And as for LibreSSL the choice would be simple had OpenSSL not already been called OpenSSL.

Just rename it OpenSSLeay or something and let the OpenBSD people use OpenSSL ;D

Re:Or.. (1)

aliquis (678370) | about 5 months ago | (#46814785)

But maybe the people behind OpenSSL want their format of the code, want their VMS stuff even if it had no use longer (if that's the case) and want their own malloc if they consider that faster.

By doing it this way they can format the code in a way they are comfortable with reading/using and do whatever they want without anyone else complaining or not accepting their changes.

I don't know whatever they remove usable features which just isn't used by/necessary in OpenBSD or not.

Likely limit their burden but still allow them to fix what they may not feel comfortable using as is.

Open to ripping out compatibility? (1)

Anonymous Coward | about 5 months ago | (#46814181)

Granted, the OBSD team has a known personality.

That said, diffs to remove compatibility would likely be rejected. Also, the rate at which they're being submitted wouldn't be verifiable by the OpenSSL team.

Plus, it's better to have multiple libraries.

This is for the better.

Re:Open to ripping out compatibility? (1)

cant_get_a_good_nick (172131) | about 5 months ago | (#46814821)

Plus, it's better to have multiple libraries.

This is not a universal good. There is a cost to:

* Choice. Now I need to figure out which is better. This is why Amazon has reviews - choice makes things difficult.

* Diffusion of resources. Part of the reason OpenSSL was so bad was that this team had no money and no resources.

There are a lot of projects out there, forks for spite, forks for license religion, that are a waste of time and resources. "Oh ____ has a free software license, but it has slightly different focuses of types of freedom, therefore it's heresy. Hey, here's GNU____. We know you'll ignore the bugs/missing features, because FREEDOM"

Re:Or.. (2, Interesting)

Anonymous Coward | about 5 months ago | (#46814255)

Are you on crack or just poorly trolling?

How is that even remotely "holding OpenSSL hostage" ??? they make their own version for their pet OS. No one forces *you* or anyone else to use it, no one is forbidden to fix OpenSSL meanwhile (except for these few developpers cleaning up LibreSSL I guess)

If you know how to fix OpenSSL, please be my guest, otherwise just stop spouting nonsense ...

oh, and by the way, seriously, go take a look [opensslrampage.org] at the horrible code that they're cleanning up and removing ... double free, missing checks, useless if/else conditions, memory mismanagments, and worse ... that cleanup was long overdue.

Re: hostage? no. try liberation (0)

Anonymous Coward | about 5 months ago | (#46814401)

Ahem. You say "holding OpenSSL hostage," when in fact the two developers of OpenSSL are completely incomptent and deserve to have the project forcefully taken out of their hands.

Re:Or.. (2)

rvw (755107) | about 5 months ago | (#46814415)

It's not about a better OpenSSL. It's about OpenBSD waving its penis around. That's all it is. The OpenSSL team is amenable to aid; but they have two developers and no help. OpenBSD is essentially holding OpenSSL hostage by making their own version, not contributing back, and making it OS-specific to OpenBSD unless you give them money to make it not.

FUD!

It's BSD! Source code will be available. No restrictions! How can they not give it back?

Re:Or.. (1)

bluefoxlucid (723572) | about 5 months ago | (#46814671)

The source code is available. Is the labor available?

My point is that it costs less in labor to rewrite OpenSSL cleaned-up but OpenBSD only without consideration for other OSes than it does to rewrite OpenSSL with no such consideration. Then, when you go back and fix the now-broken OpenSSL rewrite (LibreSSL), you add more than the difference in that labor: it requires more overall effort to do this one-and-a-half times than to do it right once.

So you have two options: Pay up and have the OpenBSD writers supply the additional half-effort to port LibreSSL back to everything; or pay up and supply your own labor as the additional half-effort to port LibreSSL's changes back into OpenSSL, after fixing the code up for full multi-OS support, with a diverging code base as you go along making tracking harder over time.

They're not giving everyone a rewritten OpenSSL; they're giving everyone the concept of a rewritten OpenSSL, which you can put into use on OpenBSD, or you can apply your own effort or apply money to OpenBSD to get written to work on Linux/FreeBSD/Windows.

Re:Or.. (2, Insightful)

serviscope_minor (664417) | about 5 months ago | (#46814419)

Strong, your hatred of OpenBSD is. Blinded you are.

Actually, more like a raging fuckwit you are.

It's not about a better OpenSSL. It's about OpenBSD waving its penis around.

Frankly you're a complete fucking idiot if you think that. Basically if you persist on believing it, you are either ignorant or stupid. If the former, there's no excuse because it've been covered so many times on just slashdot alone. Therefor it's wilful ignorance. Actually I think it's malice because you appear to hate OpenBSD for no rational reason.

OpenBSD want an API compatible, SAFE version of OpenSSL for their operating system. Rather than whining on the internet with their tumb up their ass, they're actually doing something about it. So they can provide a safe, BSD licensed operating system, which is their goal.

The OpenSSL team is amenable to aid; but they have two developers and no help.

So? That's the fault of the 10,000 companies out there who use openSSL but were too stupid to consider it worth chucking a few bucks to the OpenSSL team. The fact that the OpenBSD team is doing something about it is not a fault with the OpenBSD team.

OpenBSD is essentially holding OpenSSL hostage by making their own version, not contributing back, and making it OS-specific to OpenBSD

Well, I guess they should have used a different license then. The OpenBSD folks aren't even makeing it closed source. It's out there if you want it. And it's specific to OpenBSD because---guess what---it's being done by OpenBSD developers. But they're good programmers and good people. It's not going to be heavily tied to OpenBSD. It will be pretty portable code.

OpenBSD unless you give them money to make it not.

OMG nuuuu!!111oneeleven People on the internet aren't working for free for me!! How dare those evil fuckers want to get fucking paid for FUCKING WORK!!! The bastards! They're doing nothing but waving their penises around. How dare they.

whine whine blah blah

No one is obligated to work for you for free. Fact is they actually are because OpenSSL badly needed this cleanup of the outer crap. The OpenBSD people are doing it for free in their own time and it's quite astonishingly arrogant of you (who hasn't donated a dollar or an hour of your time) to complain about how.

The chances are with the code being cleaned up, it will actually be more easily portable to other systems modern than the old code. They're not doing damage because the old code is still there and you can keep using it warts and all for as long as you like.

Re:Or.. (0)

bluefoxlucid (723572) | about 5 months ago | (#46814735)

The OpenBSD folks aren't even makeing it closed source. It's out there if you want it. And it's specific to OpenBSD because---guess what---it's being done by OpenBSD developers.

And

OMG nuuuu!!111oneeleven People on the internet aren't working for free for me!! How dare those evil fuckers want to get fucking paid for FUCKING WORK!!!

Conflicting stances.

The fact of the matter is they have two possible modes of operation: Contribute code back to OpenSSL or create a project tied to OpenBSD that won't run elsewhere. They've voiced openly that this new code will run on OpenBSD but not elsewhere, but that they'll fix it to run elsewhere if you give them money. Or, you could apply your own effort to it.

Fact of the matter is they're not being philanthropic; they're dangling a carrot and telling you if you want it you can either pay them to bring it down to you or you can climb the mountain and come take it. They're putting in some effort to grow the carrot, but they've decided to plant their carrot field atop a mountain instead of using the fertile farm land at the base where the villagers can get to it. Only the elite--the rich or the strong--can get the carrot, either by climbing the mountain themselves or by paying for the privilege of having it brought to them. In this model, it happens that once somebody has done this, they can grow their own carrots (with some of the same effort) from the first carrot, and give carrots to all regardless of their affluence or their fitness to climb the mountain.

Re:Or.. (0)

Anonymous Coward | about 5 months ago | (#46814929)

The fact of the matter is they have two possible modes of operation: Contribute code back to OpenSSL or create a project tied to OpenBSD that won't run elsewhere. They've voiced openly that this new code will run on OpenBSD but not elsewhere, but that they'll fix it to run elsewhere if you give them money. Or, you could apply your own effort to it.

I could make a long answer to your biased idiocy, but I'll just point out that these are the guys who brought us OpenSSH ... you know, a project tied to OpenBSD that won't run elsewhere ...

Re:Or.. (0)

Anonymous Coward | about 5 months ago | (#46814493)

OpenBSD is POSIX compliant. FreeBSD is POSIX compliant, Linux is POSIX compliant. What they are doing is taking off the rotten onion layers that the OpenSSL team put in that caused this whole mess.

Once you have a base that is, in this case POSIX compliant, you can write proper wrappers to support non-POSIX compliant OS's.

I think that you're missing the whole Open Source mantra, "you have a need or need to fix something, be our guest". No where in there does it say that it's YOUR duty to make sure that it works with everything, that's the next person's job who uses it on a different platform.

OpenBSD was written to be as secure as possible, the team continues that tradition by forking the code and cleaning it up to ensure that it doesn't compromise their other projects. That's all they have to do. It's up to the next person to pick up the base code and add support.

Re:Or.. (1)

BitZtream (692029) | about 5 months ago | (#46814525)

Not contributing back? Are you fucking retarded? The OpenSSL team can always take fixes from the version that OpenBSD creates.

This has nothing to do with Theo's penis and everything to do with OpenSSL being a monstrous pile of crap that its devs are afraid to touch.

So basically what you want them to do is take your pet project, fix the fact that its a bloated pile of crap, and do it for your OS and your requirements which have absolutely nothing to do with theirs?

You've got to be pretty lazy and extremely selfish to make such a retarded comment ... and that goes for all the idiots who modded you insightful.

What they should have done, is created BSDSSL and dropped all the retarded SSLeay and other silly licensing crap that goes with OpenSSL.

And for the record, its unlikely that it won't work out of the box on *BSD, which have a pretty consistent API across all of them.

But hey, you're right, they should totally fix your problems for free because you said so and you weren't willing to do it yourself. Selfish fuck.

Re:Or.. (0)

bluefoxlucid (723572) | about 5 months ago | (#46814781)

Are you fucking retarded? The OpenBLD team can always contribute fixes to the version that OpenSSL maintains.

So basically what they want to do is take their pet project, fix a bloated pile of crap, and do it with no concern for other OSes and everyone's requirements which have everything to do with producing actual useful output?

They've got to be pretty lazy and extremely selfish to make such a retarded decision.

But hey, you're right, they should totally create a vendor-locked version of an extremely critical core Internet security technology and then tell people that they can either pay up or do the work to vender-unlock their non-portable code themselves. Selfish fucks.

Re:Or.. (0)

Anonymous Coward | about 5 months ago | (#46814993)

To this orgy of entitlement that's emanating from you, I can only say that there's a website for your kind of people. [amishrakefight.org]

Re:Or.. (1)

Anonymous Coward | about 5 months ago | (#46814563)

You're right. It's not about a better OpenSSL. It's about OpenBSD taking security seriously and realising that unless they fork and do a massive cleanup then they'll not have a trustworty SSL implementation in their OS.

Why is it their job to make sure it works on Linux and other OS? Anyone can take this code and do as they please.

Do you think the OpenSSL project would accept the hundreds of changes that's been made for the past two weeks? In a timely manner? No. Fork and avoid the bureaucracy.

OpenSSL funding (0)

Anonymous Coward | about 5 months ago | (#46814629)

It's not about a better OpenSSL. It's about OpenBSD waving its penis around. That's all it is. The OpenSSL team is amenable to aid; but they have two developers and no help.

Well perhaps the OpenSSL folks need to examine how they're organized then.

There are reports that the OpenSSL Foundation got $2 000 for all of 2013. Meanwhile the FreeBSD Foundation got $750 000 in 2013, and are aiming for $1 million in 2014. The OpenBSD Foundation's goal for 2014 was $150K, which they reached.

I'm sure given OpenSSL's importance that they could match (and probably exceed) these other two projects, and get a proper staff.

Re:Or.. (0)

Anonymous Coward | about 5 months ago | (#46814679)

It's not about a better OpenSSL. It's about OpenBSD waving its penis around. That's all it is. The OpenSSL team is amenable to aid; but they have two developers and no help. OpenBSD is essentially holding OpenSSL hostage by making their own version, not contributing back, and making it OS-specific to OpenBSD unless you give them money to make it not.

This will ultimately end in a lot of additional wasted effort to undo the damage OpenBSD is doing to LibreSSL so that the code can be ported back into OpenSSL proper, rather than investing slightly more effort in the first pass to do it right and not having a hefty second pass where they need to identify why it doesn't work on Linux/FreeBSDlWindows and then undo some of the things they did.

Jesus motherfucking Christ! First of all, anyone with a dozen neurons can see that this effort is totally about making a better OpenSSL. But you know what? Even IF the OpenBSD folks are only concerned about making something better for OpenBSD, even IF they are "waving its penis around", what business is that of yours? Or anyone else who is not contributing to their effort? Every developer on the LibreSSL team is a volunteer, and as such, they have the implied right to tell you to GFY.

It is perfectly clear what motivates you: nothing but petty jealousy and a thinly veiled incompetence. Well, you know what they say: the dogs bark, but the caravan goes on.

Re:Or.. (1)

marcello_dl (667940) | about 5 months ago | (#46814103)

Possibly it would be easier to integrate polarssl than clean up openssl, but they maybe like to work on crypto code instead of on interfaces.
Given that it's a volunteer effort (by them and by those who will volunteer some cash) I do not complain about it anyway.

Re:Or.. (1)

xxxJonBoyxxx (565205) | about 5 months ago | (#46814303)

PolarSSL doesn't have the same licensing model as OpenSSL, so it's not a drop-in replacement. (https://polarssl.org/how-to-get vs. http://www.openssl.org/source/... [openssl.org] )

Embrace Extend Extinguish (-1)

Anonymous Coward | about 5 months ago | (#46814047)

Works for anybody

Please change the API (0)

Anonymous Coward | about 5 months ago | (#46814139)

Another problem with OpenSSL is its hideous API - huge, inconsistent, poorly documented, and exposing way too many low level protocol details that should be handled internally by the library, not by applications.

Sane licence (0)

Anonymous Coward | about 5 months ago | (#46814177)

Now if only libressl could have a sane licence that wasn't GPL-incompatible :(

Please don't (2)

duke_cheetah2003 (862933) | about 5 months ago | (#46814179)

Don't fork SSL, we need to keep one standard, I'd think. This is a bad idea. These resources could be used to improve OpenSSL directly.

Re:Please don't (5, Insightful)

Kardos (1348077) | about 5 months ago | (#46814293)

It's not a bad idea. OpenSSL has become unwieldy, which has been known for quite some time. A major refactoring is long overdue. Does it matter if the project changes name? OpenSSL 2.0 or LibreSSL - what's the difference? The OpenSSL guys don't have the resources/time/funding/whatever to do it, and the OpenBSD guys apparently do.

> Even after all those changes, the codebase is still API compatible.

It's going to be a drop in replacement for OpenSSL. Same idea as the MariaDB fork of MySQL. Where is the "bad idea" here?

Re:Please don't (2, Funny)

Anonymous Coward | about 5 months ago | (#46814395)

Where is the "bad idea" here?

A fork is alien to the OSS concept. If you are not happy with direction and quality of current maintainer and code, and think you can do better, you shouldn't just fork it and do it. Who have ever asked you to do that with OSS?? You should work with the provider and hope that helps.

Re:Please don't (1)

jeffmeden (135043) | about 5 months ago | (#46814429)

OpenSSL 2.0 or LibreSSL - what's the difference? The OpenSSL guys don't have the resources/time/funding/whatever to do it, and the OpenBSD guys apparently do.

Rather, they apparently don't (hence the donations plea). What they do have time for is forking OpenSSL, cutting out the stuff they don't care about, and slapping each other on the back for giving OpenSSL a good poke in the eye.

Re:Please don't (0)

Anonymous Coward | about 5 months ago | (#46814347)

Oblig XKCD [xkcd.com]

Re:Please don't (1)

serviscope_minor (664417) | about 5 months ago | (#46814457)

Don't fork SSL

They're not.

we need to keep one standard

They are.

This is a bad idea.

It's not because your assumptions bove are faulty.

These resources could be used to improve OpenSSL directly.

That's exactly what they are doing. But they're forking OpenSSL because they want to do it their way.

Re:Please don't (3, Interesting)

upuv (1201447) | about 5 months ago | (#46814499)

SSL is the standard.
OpenSSL is an implementation
LibreSSL is an implementation

The standard isn't forked.

In this instance the standard mostly applies to the protocol. The on system interfaces will most likely mutate rather quickly. Most specifically at the user interaction level. The library interfaces will most likely remain steady.

This isn't a bad thing.

SSL and it's related crypto cousins is all about trust, but paradoxically Crypto people don't trust crypto people so there is very little trust out there. So really powerful things like personal / corporate certificate authorities just don't exist in practice. Imagine the power of a CA for personal certs. It would change authentication forever. Good bye 300 passwords. But since no two people can build two independent systems that truly trust each other there really is no hope for personal certificate authorities. Maybe this reboot of an SSL implementation can move us one step closer. Or even an inch/2.2cm.

Re:Please don't (0)

Anonymous Coward | about 5 months ago | (#46814519)

Why not fork it? The current maintainers are obviously fuckups when compared to Theo's crew.

I live in the US (for which Theo has had a few choice words), I don't care for his acidic attitude at times, but he is an effective leader and software engineer. I *trust* him specifically due to his distrust of so many who buy into the status quo.

In addition, I think we should have a IndieGoGo or Kickstarter campaign to run background investigations into each new core LibreSSL team member for NSA links just like the TrueCrypt folks who are trying to raise money for a code audit.

Get it FIPS certified (5, Insightful)

sinij (911942) | about 5 months ago | (#46814361)

The key reason OpenSSL is so popular in US is because the project is on top of FIPS certifications. LibreSSL might cure cancer, but very few system integrators will use it unless it has certified module.

Re:Get it FIPS certified (3, Funny)

brunes69 (86786) | about 5 months ago | (#46814453)

People are starting to think tha "FIPS Certified" means "has all required NSA backdoors installed".

Re:Get it FIPS certified (3, Insightful)

sinij (911942) | about 5 months ago | (#46814521)

You might be proven right by the next Snowden report, but this still will not change the fact that to sell to the government you need to demonstrate your crypto is certified.

Another way of thinking about this - your liability is much higher when your badly broken crypto results in your customer database in the pastebin, than when your backdoored library results in your customer database somewhere in the NSA data vault.

Re:Get it FIPS certified (4, Informative)

BitZtream (692029) | about 5 months ago | (#46814613)

Having gone through the certification process myself, people that think that are stupid, paranoid idiots. The certification process is entirely based on finding and fixing known flaws in the encryption process, nothing I saw would indicate any kind of weakening.

Of course, its entirely possible that the NSA was aware that my code was insecure and just didn't request any changes to make it weaker, but the certification process certainly didn't make that apparent.

Re:Get it FIPS certified (2)

BitZtream (692029) | about 5 months ago | (#46814583)

Wrong.

A specific version of the OpenSSL binaries a LONG time ago received a low level of FIPS 140 certification. That certification was for specific binaries built from a specific code base. The instant a single line of source was changed, the entire FIPS certification is null and void for the new version. Depending not he exact way it was certified it is entirely possible that even compiling the same source code from the version that was certified ... does not itself receive the certification.

NO ONE uses the FIPS certified module as it is broken in many known ways. Anyone who does use it are retarded since its well known to be susceptible to several attacks that make it horribly broken even though it received a low level FIPS certification.

Re:Get it FIPS certified (1)

Error27 (100234) | about 5 months ago | (#46814619)

If you read the article then you'll see that the OpenBSD explicitly rejects FIPS certification as a goal.

FIPS certification is why OpenSSL includes the NSA backdoor DUAL EC pseudo random number generator. The code doesn't work but it's still included and can't be fixed. Anything which leads to an outcome like this... Disgust. Disgust and revulsion.

Re:Get it FIPS certified (1)

Kardos (1348077) | about 5 months ago | (#46814649)

If OpenBSD is successful in their goal of making a lean and mean LibreSSL, is there anything that stops someone else from getting it FIPS certified?

Clearly it would have to be re-done with each release, so presumably nobody would bother until LibreSSL is stable.

What will be next: LibreSystemd? (0)

Anonymous Coward | about 5 months ago | (#46814455)

Now *there's* one that needs a cut-the-fat do-over.

Notice that Theo doesn't have the goal of making LibreSSL BSD-only.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>