from the introducing-more-bugs-than-it-cures? dept.
Ars Technica has a story about the effort of some OpenBSD developers to clean up the OpenSSL codebase as part of a fork they've named LibreSSL. From the article:
The decision to fork OpenSSL is bound to be controversial given that OpenSSL powers hundreds of thousands of Web servers. When asked why he wanted to start over instead of helping to make OpenSSL better, de Raadt said the existing code is too much of a mess. "Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers," de Raadt told Ars in an e-mail. "The Open Source model depends [on] people being able to read the code. It depends on clarity. That is not a clear code base, because their community does not appear to care about clarity. Obviously, when such cruft builds up, there is a cultural gap. I did not make this decision... in our larger development group, it made itself."
When asked what he meant by OpenSSL containing "discarded leftovers," de Raadt said there were "Thousands of lines of VMS support. Thousands of lines of ancient WIN32 support. Nowadays, Windows has POSIX-like APIs and does not need something special for sockets. Thousands of lines of FIPS support, which downgrade ciphers almost automatically." There were also "thousands of lines of APIs that the OpenSSL group intended to deprecate 12 years or so ago and [are] still left alone."
De Raadt told ZDNet that his team has removed 90,000 lines of C code. "Even after all those changes, the codebase is still API compatible," he said. "Our entire ports tree (8,700 applications) continue to compile and work after all these changes."
(Score: 5, Funny) by VLM on Wednesday April 23 2014, @12:39PM
The summary missed the funniest part of the story, quoted below:
"LibreSSL has a bare bones website that is intentionally unappealing... "This page scientifically designed to annoy web hipsters," the site says. "Donate now to stop the Comic Sans and Blink Tags.""
(Score: 0) by Anonymous Coward on Wednesday April 23 2014, @12:50PM
The Comic Sans I can deal with...but OMG the blinking, please stop. Every time that text blinks, a kitten dies!!!!!1111eleventyone
(Score: 2) by xlefay on Wednesday April 23 2014, @12:51PM
Quickly, donate!
(Score: 1) by petecox on Wednesday April 23 2014, @01:35PM
What browser are you using?
Firefox killed off blink some time ago...
(Score: 0) by Anonymous Coward on Wednesday April 23 2014, @02:06PM
Really? I'm using Firefox 28 and it's blinking for me
(Score: 4, Informative) by forsythe on Wednesday April 23 2014, @02:23PM
If you examine the CSS, part of the style is
So it should blink on a browser that doesn't implement <blink> to actually blink.
(Score: 1) by francois.barbier on Wednesday April 23 2014, @08:29PM
You can actually make any text blink in most browsers:
(Score: 3, Funny) by tangomargarine on Wednesday April 23 2014, @04:09PM
http://www.extremetech.com/computing/163291-firefo x-23-finally-kills-the-blink-tag-removes-ability-t o-turn-off-javascript-introduces-new-logo [extremetech.com]
Symptomatic of Firefox these days, I wouldn't consider any of those 3 features to be changes I desire.
Interestingly, <marquee> still works.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by davester666 on Wednesday April 23 2014, @06:30PM
OMG. If that were so, I would bookmark the page and leave it in the foreground.
(Score: 2) by Horse With Stripes on Wednesday April 23 2014, @12:52PM
(Score: 2, Interesting) by Anonymous Coward on Wednesday April 23 2014, @02:44PM
Some highlights:
(Score: 0) by Anonymous Coward on Wednesday April 23 2014, @05:13PM
"section class="we-love-web-devs-especially-those-that-writ e-blink-tags-for-us""
Everyone should read html source, there are many sites with awesome little messages.
(Score: 2, Interesting) by Anonymous Coward on Wednesday April 23 2014, @12:47PM
you may say what you will about those guys, but they deserve a lot more credit than they get. I'm happy to see that there is finally a SSL project in capable hands by people who really know their stuff.
It's sad that so few companies support OpenBSD. Everyone uses SSH, lots of early Linux code even comes from OpenBSD (for example IPSec IIRC) and I'm sure companies took a lot else as well
(Score: 2) by xlefay on Wednesday April 23 2014, @12:51PM
I agree entirely.
(Score: 0) by Anonymous Coward on Wednesday April 23 2014, @02:02PM
It boils down to the bad license. The BSD crowd is giving the very companies the free ride.
(Score: 2) by The Mighty Buzzard on Wednesday April 23 2014, @03:13PM
My rights don't end where your fear begins.
(Score: 1) by fnj on Wednesday April 23 2014, @04:35PM
Horse crap.
(Score: 1) by Wootery on Wednesday April 23 2014, @05:56PM
I could point out that licence doesn't dictate code quality, but that would be feeding the troll.
I'm all for a good licence flame-war, but you're meant to make some effort to segue into it, not just Yeah, great, BSD licence sucks amirite? as you just did.
(Score: 1, Informative) by Anonymous Coward on Wednesday April 23 2014, @02:55PM
they also have a more credible source of information than the submitted story holds http://undeadly.org/cgi?action=article&sid=2014042 3045847&mode=expanded&count=27 [undeadly.org]
it even looks a bit like slashcode
(Score: 3, Informative) by tangomargarine on Wednesday April 23 2014, @04:21PM
According to Wikipedia, OpenBSD was first released October 1, 1996.* The Linux kernel 2.0 came out in June of the same year. So I guess depending on how flexible your definitions of "early" and "OpenBSD" are...
* "the first official release of OpenBSD, and also the point at which XFree86 first recognised OpenBSD as separate from NetBSD"...apparently they had unofficial releases dating back to 12 months previous.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by omoc on Wednesday April 23 2014, @05:12PM
just because a project was started earlier, doesn't mean there is no code exchange between them. OpenBSD had the first IPSEC stack available for free that has been imported by a ton of other projects (and maybe also companies)
(Score: 4, Insightful) by Sir Garlon on Wednesday April 23 2014, @12:50PM
Why on earth is it controversial for a motivated, effective team to take over maintenance of a widely-used, but ill-maintained library? Sometimes people fail in spite of their best efforts and intentions. It doesn't mean the OpenSSL team are a bunch of losers, it just means their management team weren't good at fundraising. Most developers I know are not interested in raising money and public relations and so on, so to say the OpenSSL team didn't do that very well should not be taken as an insult.
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
(Score: 0) by unauthorized on Wednesday April 23 2014, @01:24PM
Because you are creating competing standards [xkcd.com], where refactoring the codebase and re-organizing how the project is managed would have brought the same benefits, without that drawback. The first choice option should have been to work with the OpenSSL team and fix the problems it has.
You don't want fragmentation of industry standard APIs, unless there is a pretty strong reason for it. So far, I haven't seen one.
(Score: 4, Insightful) by gman003 on Wednesday April 23 2014, @01:45PM
Competing implementation, not a competing standard. Competing implementations of the same standard are a GOOD thing.
(Score: 1) by petecox on Wednesday April 23 2014, @01:48PM
Hence there's no fragmentation of APIs, simply another implementation.
(Score: 1) by BasilBrush on Wednesday April 23 2014, @05:40PM
Working without the current OpenSSL team seems like a bonus.
Hurrah! Quoting works now!
(Score: 1) by GoonDu on Wednesday April 23 2014, @12:51PM
Considering that in all likelihood that they were meant to be depreciated, what if they are still used in legacy servers? Granted, those probably using those legacy servers would probably have bigger security holes to fill.
(Score: 2) by M. Baranczak on Wednesday April 23 2014, @01:04PM
If you have a server like that, you're pretty unlikely to be switching SSL libraries anyway.
(Score: 3, Interesting) by Thexalon on Wednesday April 23 2014, @01:40PM
Sorry to be a spelling Nazi, but there's a big difference between "depreciated" (the lowering financial value of a capital good due to wear-and-tear) and "deprecated" (a feature that should not be used anymore because there's a better feature available).
Among other things, "depreciated" implies that software falls apart over time, while "deprecated" implies that we find better ways to do things and that' why we're getting rid of the old process.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 1) by fnj on Wednesday April 23 2014, @04:39PM
Truly illiteracy is a terrible thing. Don't be sorry.
(Score: 1) by strattitarius on Wednesday April 23 2014, @12:53PM
It would seem that even open source projects can become a bit lazy and get bloated when there is little competition. This should be good for the community. Especially since it's the BSD guys.
Slashdot Beta Sucks. Soylent Alpha Rules. News at 11.
(Score: 3, Insightful) by GlennC on Wednesday April 23 2014, @01:14PM
To my thinking, it would be better to fix the existing library, or even re-write it if necessary.
Creating a separate fork seems like little more than self promotion to me.
Of course, since it's Theo deRaadt and his crew doing this, the question answers itself.
Sorry folks...the world is bigger and more varied than you want it to be. Deal with it.
(Score: 1) by francois.barbier on Wednesday April 23 2014, @01:22PM
I think you can still merge it back.
Kind of like Ubuntu gives back to Debian.
Am I correct?
(Score: 1, Interesting) by Anonymous Coward on Wednesday April 23 2014, @01:32PM
Just pretend the other line doesn't even exist and this IS the fix.
(Score: 4, Insightful) by Sir Garlon on Wednesday April 23 2014, @01:51PM
It's pretty simple: if you want a job done right, you have to do it yourself. Why waste time and resources arguing with the original developers over what needs to be done, when it's clear they don't share your priorities?
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
(Score: 2, Insightful) by Anonymous Coward on Wednesday April 23 2014, @02:37PM
Depends on how adamant the OpenSSL team are about legacy support. It sounds like LibreSSL are primarily removing specialized code for systems that they consider obsolete, irrelevant, or otherwise not worth the characters. They don't care about VMS. To the extent that every line of code is a potential exploit, this may be very valuable. I don't care about VMS. I don't care whether the code compiles under linux 1.2.13.
Forking makes the statement that they plan to sweep clean, and gives them the freedom to ignore constituencies that might be important to OpenSSL. Forking makes it a lot easier to ignore entrenched politics.
(Score: 1) by bill_mcgonigle on Thursday April 24 2014, @02:32AM
Creating a separate fork seems like little more than self promotion to me.
Only sorta - a fork is always called for when the previous management team fails to acknowledge its failings.
Is it self promotion to say, "we've been telling you guys for four years that your memory management is crap and you wouldn't listen, and now that that has bitten the whole world in the ass you're still not listening, so we're going to call you inept managers and we think we can do better"?
Perhaps - but if it's true, that's sufficient in this case.
I will be donating to the LibreSSL project.
(Score: 2) by GlennC on Thursday April 24 2014, @01:48PM
I hadn't thought of that, but then again I haven't been following the OpenSSL issue very closely.
Thanks for the reply.
Sorry folks...the world is bigger and more varied than you want it to be. Deal with it.
(Score: 5, Funny) by tempest on Wednesday April 23 2014, @01:23PM
In other news, the OpenSSL team has forked OpenBSD; creating a new OS called LibreBSD.
(Score: 0) by Anonymous Coward on Wednesday April 23 2014, @02:10PM
if there would only be an OpenSSL team
(Score: 2) by ngarrang on Wednesday April 23 2014, @02:14PM
FreeBSD vs. LibreBSD! Two BSD enter, one BSD leave!
(Score: 0) by Anonymous Coward on Wednesday April 23 2014, @02:50PM
Who runs BSD town?!
(Score: 1) by David_W on Wednesday April 23 2014, @04:48PM
Of course NetBSD runs it!
(Wait, that seems backwards...)
(Score: 1) by ButchDeLoria on Thursday April 24 2014, @11:10AM
Whoever wins, we lose.
(Score: 3, Informative) by dbot on Wednesday April 23 2014, @02:47PM
It's lipstick [qualys.com] on [tack.io] a [google.com] pig [eff.org] at this point.
Having said that, it's great the OpenBSD guys are on it. I couldn't help but think, fk I wish they'd just do it. Now they have. Yay.
For entertaining commits:
http://freshbsd.org/search?project=openbsd&q=file. name:libssl [freshbsd.org]
With commentary:
http://opensslrampage.org/ [opensslrampage.org]
(Score: 2, Informative) by VortexCortex on Wednesday April 23 2014, @07:28PM
I agree. I'll just leave this here: The CA system is screwed, and has never been secure. [youtube.com]
As to OpenBSD forking OpenSSL, two words: Fuck, yes! One can still use the CA system 100% locally (and for free) to secure Intranet or business connections, VPNs, etc... so long as there aren't bugs in your implementation.
(Score: 1) by dbot on Thursday April 24 2014, @01:50PM
Great vid! Can't mod now, but crap. Moxie's done some fantastic work.
(Score: 5, Interesting) by gman003 on Wednesday April 23 2014, @03:53PM
The OpenBSD team, and Theo de Raadt in particular, seem to have an undeserved reputation for being assholes. As a long-time OpenBSD user, that's not quite true.
They have a strict set of priorities that are a bit of a minority. The put security as #1 - insecure code is never better than secure code. In service of priority #1, they emphasize general code quality, documentation, and limitation of scope (the best example being how little is installed by default in OpenBSD).
They are ruthless in pursuit of security, and more than a little bit paranoid, but here's the thing - they were right. And they don't do security theater - when they do something in the name of security, it's always something that actually works.
They're actually a fairly welcoming culture as long as you have those same priorities, or at the very least don't try to change them. If you want to use OpenBSD as a desktop OS, they'll help you out (I got very basic n00b-user advice on using USB flash drives from Theo himself, way back in the day). The only times I've seen them get angry are when people try to change those priorities (eg. tell them they need to do X to make it easier t use), or when someone tries to play politics.
So we have a group that is ruthlessly security-oriented, paranoid but rationally so, and has plenty of experience in the security field. Is there any reason not to celebrate them taking charge of fixing what is, by all accounts, a shoddy SSL implementation? And if they need to fork it to do so, why not? The code is still public - if the OpenSSL team wants it, they can merge it back in. They're simply bypassing the OpenSSL leadership - which, I remind you, let the code get into the state it is now.
(Score: 3, Interesting) by len_harms on Wednesday April 23 2014, @05:40PM
We shall see what they come up with. For now I am cautiously optimistic about it.
Right now they are swinging at the low hanging fruit (you can see it in the changelogs which are semi funny to read btw). Dropping support for compilers that no one sells anymore. Using functions which were unreliable a few years ago between compilers. Such as you need to worry about things like how some standard CRT functions handled its parameters as VS may do one thing and metrowerks another and GCC a third.
They have narrowed the scope and dropped old platforms. This is a good thing for that project. It should get real interesting when they really dig in and refactor the code. Right now they are at the 'take everything out of the room and replace the nasty carpet and put it all back' clean up stage. Should get good when they start deciding what the new API looks like. It gives them a good lay of the land and what is really necessary and what can go.
(Score: 4, Interesting) by michealpwalls on Wednesday April 23 2014, @04:07PM
So true, it hurts! These guys are my heroes! I esp. like how they don't even slightly care what the webpage looks like... They will actually focus on the product before a fluffy webpage to market the product.. Amazing concept, no?! Someone should drop this tid-bit of knowledge onto the Mozilla Corporation one day :)
(Score: 0) by Anonymous Coward on Wednesday April 23 2014, @05:31PM
Hear hear!
(re: Mozilla)
(Score: 1) by BasilBrush on Wednesday April 23 2014, @05:45PM
Ideally the people working on low-level security code will not be the same people designing a web-page.
Hurrah! Quoting works now!