Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday April 23 2014, @12:36PM   Printer-friendly
from the introducing-more-bugs-than-it-cures? dept.

Ars Technica has a story about the effort of some OpenBSD developers to clean up the OpenSSL codebase as part of a fork they've named LibreSSL. From the article:

The decision to fork OpenSSL is bound to be controversial given that OpenSSL powers hundreds of thousands of Web servers. When asked why he wanted to start over instead of helping to make OpenSSL better, de Raadt said the existing code is too much of a mess. "Our group removed half of the OpenSSL source tree in a week. It was discarded leftovers," de Raadt told Ars in an e-mail. "The Open Source model depends [on] people being able to read the code. It depends on clarity. That is not a clear code base, because their community does not appear to care about clarity. Obviously, when such cruft builds up, there is a cultural gap. I did not make this decision... in our larger development group, it made itself."

When asked what he meant by OpenSSL containing "discarded leftovers," de Raadt said there were "Thousands of lines of VMS support. Thousands of lines of ancient WIN32 support. Nowadays, Windows has POSIX-like APIs and does not need something special for sockets. Thousands of lines of FIPS support, which downgrade ciphers almost automatically." There were also "thousands of lines of APIs that the OpenSSL group intended to deprecate 12 years or so ago and [are] still left alone."

De Raadt told ZDNet that his team has removed 90,000 lines of C code. "Even after all those changes, the codebase is still API compatible," he said. "Our entire ports tree (8,700 applications) continue to compile and work after all these changes."

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Funny) by VLM on Wednesday April 23 2014, @12:39PM

    by VLM (445) on Wednesday April 23 2014, @12:39PM (#34832)

    The summary missed the funniest part of the story, quoted below:

    "LibreSSL has a bare bones website that is intentionally unappealing... "This page scientifically designed to annoy web hipsters," the site says. "Donate now to stop the Comic Sans and Blink Tags.""

    • (Score: 0) by Anonymous Coward on Wednesday April 23 2014, @12:50PM

      by Anonymous Coward on Wednesday April 23 2014, @12:50PM (#34839)

      The Comic Sans I can deal with...but OMG the blinking, please stop. Every time that text blinks, a kitten dies!!!!!1111eleventyone

      • (Score: 2) by xlefay on Wednesday April 23 2014, @12:51PM

        by xlefay (65) on Wednesday April 23 2014, @12:51PM (#34843) Journal

        Quickly, donate!

      • (Score: 1) by petecox on Wednesday April 23 2014, @01:35PM

        by petecox (3228) on Wednesday April 23 2014, @01:35PM (#34864)

        What browser are you using?

        Firefox killed off blink some time ago...

        • (Score: 0) by Anonymous Coward on Wednesday April 23 2014, @02:06PM

          by Anonymous Coward on Wednesday April 23 2014, @02:06PM (#34885)

          Really? I'm using Firefox 28 and it's blinking for me

        • (Score: 4, Informative) by forsythe on Wednesday April 23 2014, @02:23PM

          by forsythe (831) on Wednesday April 23 2014, @02:23PM (#34895)

          If you examine the CSS, part of the style is

          blink {
                  animation:blink 1s;
                  animation-iteration-count: infinite;
                  -webkit-animation:blink 1s;
                  -webkit-animation-iteration-count: infinite;
          }
          @keyframes blink {
                  0%{opacity:0.0;}
                  50%{opacity:0.0;}
                  50.01%{opacity:1.0;}
                  100%{opacity:1.0;}
          }
          @-webkit-keyframes blink {
                  0%{opacity:0.0;}
                  50%{opacity:0.0;}
                  50.01%{opacity:1.0;}
                  100%{opacity:1.0;}
          }

          So it should blink on a browser that doesn't implement <blink> to actually blink.

          • (Score: 1) by francois.barbier on Wednesday April 23 2014, @08:29PM

            by francois.barbier (651) on Wednesday April 23 2014, @08:29PM (#35124)

            You can actually make any text blink in most browsers:

            text-decoration; blink;

        • (Score: 3, Funny) by tangomargarine on Wednesday April 23 2014, @04:09PM

          by tangomargarine (667) on Wednesday April 23 2014, @04:09PM (#34970)

          http://www.extremetech.com/computing/163291-firefo x-23-finally-kills-the-blink-tag-removes-ability-t o-turn-off-javascript-introduces-new-logo [extremetech.com]

          Symptomatic of Firefox these days, I wouldn't consider any of those 3 features to be changes I desire.

          Interestingly, <marquee> still works.

          --
          "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
      • (Score: 2) by davester666 on Wednesday April 23 2014, @06:30PM

        by davester666 (155) on Wednesday April 23 2014, @06:30PM (#35064)

        OMG. If that were so, I would bookmark the page and leave it in the foreground.

    • (Score: 2) by Horse With Stripes on Wednesday April 23 2014, @12:52PM

      by Horse With Stripes (577) on Wednesday April 23 2014, @12:52PM (#34847)
      And their website doesn't support https?? I wonder why they aren't using their own product ... ;-)
    • (Score: 2, Interesting) by Anonymous Coward on Wednesday April 23 2014, @02:44PM

      by Anonymous Coward on Wednesday April 23 2014, @02:44PM (#34914)

      Some highlights:

      realloc has handled NULL since I had a mullet and parachute pants.

      If modern society can get past selling daughters for cows, surely we can
      decide to write modern C code in an "application" that is probably 3 lines
      of shell/python/cgi away from talking to the internet in a lot of
      places...

      - Why do we hide from the OpenSSL police, dad?
      - Because they're not like us, son. They use macros to wrap stdio
        routines, for an undocumented (OPENSSL_USE_APPLINK) use case.

      I wonder if their moto is "If you can't solve a problem, at least try to do it badly".

    • (Score: 0) by Anonymous Coward on Wednesday April 23 2014, @05:13PM

      by Anonymous Coward on Wednesday April 23 2014, @05:13PM (#35011)

      "section class="we-love-web-devs-especially-those-that-writ e-blink-tags-for-us""

      Everyone should read html source, there are many sites with awesome little messages.

  • (Score: 2, Interesting) by Anonymous Coward on Wednesday April 23 2014, @12:47PM

    by Anonymous Coward on Wednesday April 23 2014, @12:47PM (#34836)

    you may say what you will about those guys, but they deserve a lot more credit than they get. I'm happy to see that there is finally a SSL project in capable hands by people who really know their stuff.

    It's sad that so few companies support OpenBSD. Everyone uses SSH, lots of early Linux code even comes from OpenBSD (for example IPSec IIRC) and I'm sure companies took a lot else as well

    • (Score: 2) by xlefay on Wednesday April 23 2014, @12:51PM

      by xlefay (65) on Wednesday April 23 2014, @12:51PM (#34842) Journal

      I agree entirely.

    • (Score: 0) by Anonymous Coward on Wednesday April 23 2014, @02:02PM

      by Anonymous Coward on Wednesday April 23 2014, @02:02PM (#34882)

      It boils down to the bad license. The BSD crowd is giving the very companies the free ride.

      • (Score: 2) by The Mighty Buzzard on Wednesday April 23 2014, @03:13PM

        So? That's their choice.
        --
        My rights don't end where your fear begins.
      • (Score: 1) by fnj on Wednesday April 23 2014, @04:35PM

        by fnj (1654) on Wednesday April 23 2014, @04:35PM (#34983)

        bad license

        Horse crap.

      • (Score: 1) by Wootery on Wednesday April 23 2014, @05:56PM

        by Wootery (2341) on Wednesday April 23 2014, @05:56PM (#35039)

        I could point out that licence doesn't dictate code quality, but that would be feeding the troll.

        I'm all for a good licence flame-war, but you're meant to make some effort to segue into it, not just Yeah, great, BSD licence sucks amirite? as you just did.

    • (Score: 1, Informative) by Anonymous Coward on Wednesday April 23 2014, @02:55PM

      by Anonymous Coward on Wednesday April 23 2014, @02:55PM (#34920)

      they also have a more credible source of information than the submitted story holds http://undeadly.org/cgi?action=article&sid=2014042 3045847&mode=expanded&count=27 [undeadly.org]

      it even looks a bit like slashcode

    • (Score: 3, Informative) by tangomargarine on Wednesday April 23 2014, @04:21PM

      by tangomargarine (667) on Wednesday April 23 2014, @04:21PM (#34977)

      lots of early Linux code even comes from OpenBSD

      According to Wikipedia, OpenBSD was first released October 1, 1996.* The Linux kernel 2.0 came out in June of the same year. So I guess depending on how flexible your definitions of "early" and "OpenBSD" are...

      * "the first official release of OpenBSD, and also the point at which XFree86 first recognised OpenBSD as separate from NetBSD"...apparently they had unofficial releases dating back to 12 months previous.

      --
      "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
      • (Score: 2) by omoc on Wednesday April 23 2014, @05:12PM

        by omoc (39) on Wednesday April 23 2014, @05:12PM (#35010)

        just because a project was started earlier, doesn't mean there is no code exchange between them. OpenBSD had the first IPSEC stack available for free that has been imported by a ton of other projects (and maybe also companies)

  • (Score: 4, Insightful) by Sir Garlon on Wednesday April 23 2014, @12:50PM

    by Sir Garlon (1264) on Wednesday April 23 2014, @12:50PM (#34840)

    Why on earth is it controversial for a motivated, effective team to take over maintenance of a widely-used, but ill-maintained library? Sometimes people fail in spite of their best efforts and intentions. It doesn't mean the OpenSSL team are a bunch of losers, it just means their management team weren't good at fundraising. Most developers I know are not interested in raising money and public relations and so on, so to say the OpenSSL team didn't do that very well should not be taken as an insult.

    --
    [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
    • (Score: 0) by unauthorized on Wednesday April 23 2014, @01:24PM

      by unauthorized (3776) on Wednesday April 23 2014, @01:24PM (#34860)

      Because you are creating competing standards [xkcd.com], where refactoring the codebase and re-organizing how the project is managed would have brought the same benefits, without that drawback. The first choice option should have been to work with the OpenSSL team and fix the problems it has.

      You don't want fragmentation of industry standard APIs, unless there is a pretty strong reason for it. So far, I haven't seen one.

      • (Score: 4, Insightful) by gman003 on Wednesday April 23 2014, @01:45PM

        by gman003 (4155) on Wednesday April 23 2014, @01:45PM (#34866)

        Competing implementation, not a competing standard. Competing implementations of the same standard are a GOOD thing.

      • (Score: 1) by petecox on Wednesday April 23 2014, @01:48PM

        by petecox (3228) on Wednesday April 23 2014, @01:48PM (#34869)
        OpenSSL isn't a standard, it's an implementation of protocol(s). Wikipedia lists [wikipedia.org] a dozen or so such implementations.

        Hence there's no fragmentation of APIs, simply another implementation.

      • (Score: 1) by BasilBrush on Wednesday April 23 2014, @05:40PM

        by BasilBrush (3994) on Wednesday April 23 2014, @05:40PM (#35028)

        Working without the current OpenSSL team seems like a bonus.

        --
        Hurrah! Quoting works now!
  • (Score: 1) by GoonDu on Wednesday April 23 2014, @12:51PM

    by GoonDu (2623) on Wednesday April 23 2014, @12:51PM (#34844)

    When asked what he meant by OpenSSL containing "discarded leftovers," de Raadt said there were "Thousands of lines of VMS support. Thousands of lines of ancient WIN32 support. Nowadays, Windows has POSIX-like APIs and does not need something special for sockets. Thousands of lines of FIPS support, which downgrade ciphers almost automatically."

    Considering that in all likelihood that they were meant to be depreciated, what if they are still used in legacy servers? Granted, those probably using those legacy servers would probably have bigger security holes to fill.

    • (Score: 2) by M. Baranczak on Wednesday April 23 2014, @01:04PM

      by M. Baranczak (1673) on Wednesday April 23 2014, @01:04PM (#34852)

      If you have a server like that, you're pretty unlikely to be switching SSL libraries anyway.

    • (Score: 3, Interesting) by Thexalon on Wednesday April 23 2014, @01:40PM

      by Thexalon (636) on Wednesday April 23 2014, @01:40PM (#34865)

      meant to be depreciated

      Sorry to be a spelling Nazi, but there's a big difference between "depreciated" (the lowering financial value of a capital good due to wear-and-tear) and "deprecated" (a feature that should not be used anymore because there's a better feature available).

      Among other things, "depreciated" implies that software falls apart over time, while "deprecated" implies that we find better ways to do things and that' why we're getting rid of the old process.

      --
      The only thing that stops a bad guy with a compiler is a good guy with a compiler.
      • (Score: 1) by fnj on Wednesday April 23 2014, @04:39PM

        by fnj (1654) on Wednesday April 23 2014, @04:39PM (#34984)

        Truly illiteracy is a terrible thing. Don't be sorry.

  • (Score: 1) by strattitarius on Wednesday April 23 2014, @12:53PM

    by strattitarius (3191) on Wednesday April 23 2014, @12:53PM (#34848) Journal

    It would seem that even open source projects can become a bit lazy and get bloated when there is little competition. This should be good for the community. Especially since it's the BSD guys.

    --
    Slashdot Beta Sucks. Soylent Alpha Rules. News at 11.
  • (Score: 3, Insightful) by GlennC on Wednesday April 23 2014, @01:14PM

    by GlennC (3656) on Wednesday April 23 2014, @01:14PM (#34856)

    To my thinking, it would be better to fix the existing library, or even re-write it if necessary.

    Creating a separate fork seems like little more than self promotion to me.

    Of course, since it's Theo deRaadt and his crew doing this, the question answers itself.

    --
    Sorry folks...the world is bigger and more varied than you want it to be. Deal with it.
    • (Score: 1) by francois.barbier on Wednesday April 23 2014, @01:22PM

      by francois.barbier (651) on Wednesday April 23 2014, @01:22PM (#34858)

      I think you can still merge it back.
      Kind of like Ubuntu gives back to Debian.
      Am I correct?

    • (Score: 1, Interesting) by Anonymous Coward on Wednesday April 23 2014, @01:32PM

      by Anonymous Coward on Wednesday April 23 2014, @01:32PM (#34863)

      Just pretend the other line doesn't even exist and this IS the fix.

    • (Score: 4, Insightful) by Sir Garlon on Wednesday April 23 2014, @01:51PM

      by Sir Garlon (1264) on Wednesday April 23 2014, @01:51PM (#34870)

      It's pretty simple: if you want a job done right, you have to do it yourself. Why waste time and resources arguing with the original developers over what needs to be done, when it's clear they don't share your priorities?

      --
      [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
    • (Score: 2, Insightful) by Anonymous Coward on Wednesday April 23 2014, @02:37PM

      by Anonymous Coward on Wednesday April 23 2014, @02:37PM (#34909)

      Depends on how adamant the OpenSSL team are about legacy support. It sounds like LibreSSL are primarily removing specialized code for systems that they consider obsolete, irrelevant, or otherwise not worth the characters. They don't care about VMS. To the extent that every line of code is a potential exploit, this may be very valuable. I don't care about VMS. I don't care whether the code compiles under linux 1.2.13.

      Forking makes the statement that they plan to sweep clean, and gives them the freedom to ignore constituencies that might be important to OpenSSL. Forking makes it a lot easier to ignore entrenched politics.

    • (Score: 1) by bill_mcgonigle on Thursday April 24 2014, @02:32AM

      by bill_mcgonigle (1105) on Thursday April 24 2014, @02:32AM (#35326)

      Creating a separate fork seems like little more than self promotion to me.

      Only sorta - a fork is always called for when the previous management team fails to acknowledge its failings.

      Is it self promotion to say, "we've been telling you guys for four years that your memory management is crap and you wouldn't listen, and now that that has bitten the whole world in the ass you're still not listening, so we're going to call you inept managers and we think we can do better"?

      Perhaps - but if it's true, that's sufficient in this case.

      I will be donating to the LibreSSL project.

      • (Score: 2) by GlennC on Thursday April 24 2014, @01:48PM

        by GlennC (3656) on Thursday April 24 2014, @01:48PM (#35529)

        I hadn't thought of that, but then again I haven't been following the OpenSSL issue very closely.

        Thanks for the reply.

        --
        Sorry folks...the world is bigger and more varied than you want it to be. Deal with it.
  • (Score: 5, Funny) by tempest on Wednesday April 23 2014, @01:23PM

    by tempest (3050) on Wednesday April 23 2014, @01:23PM (#34859)

    In other news, the OpenSSL team has forked OpenBSD; creating a new OS called LibreBSD.

    • (Score: 0) by Anonymous Coward on Wednesday April 23 2014, @02:10PM

      by Anonymous Coward on Wednesday April 23 2014, @02:10PM (#34886)

      if there would only be an OpenSSL team

    • (Score: 2) by ngarrang on Wednesday April 23 2014, @02:14PM

      by ngarrang (896) on Wednesday April 23 2014, @02:14PM (#34889) Journal

      FreeBSD vs. LibreBSD! Two BSD enter, one BSD leave!

      • (Score: 0) by Anonymous Coward on Wednesday April 23 2014, @02:50PM

        by Anonymous Coward on Wednesday April 23 2014, @02:50PM (#34919)

        Who runs BSD town?!

        • (Score: 1) by David_W on Wednesday April 23 2014, @04:48PM

          by David_W (3469) on Wednesday April 23 2014, @04:48PM (#34992)

          Of course NetBSD runs it!

          (Wait, that seems backwards...)

      • (Score: 1) by ButchDeLoria on Thursday April 24 2014, @11:10AM

        by ButchDeLoria (583) on Thursday April 24 2014, @11:10AM (#35457)

        Whoever wins, we lose.

  • (Score: 3, Informative) by dbot on Wednesday April 23 2014, @02:47PM

    by dbot (1811) on Wednesday April 23 2014, @02:47PM (#34916) Journal

    It's lipstick [qualys.com] on [tack.io] a [google.com] pig [eff.org] at this point.

    Having said that, it's great the OpenBSD guys are on it. I couldn't help but think, fk I wish they'd just do it. Now they have. Yay.

    For entertaining commits:

    http://freshbsd.org/search?project=openbsd&q=file. name:libssl [freshbsd.org]

    With commentary:

    http://opensslrampage.org/ [opensslrampage.org]

    • (Score: 2, Informative) by VortexCortex on Wednesday April 23 2014, @07:28PM

      by VortexCortex (4067) on Wednesday April 23 2014, @07:28PM (#35093)

      I agree. I'll just leave this here: The CA system is screwed, and has never been secure. [youtube.com]

      As to OpenBSD forking OpenSSL, two words: Fuck, yes! One can still use the CA system 100% locally (and for free) to secure Intranet or business connections, VPNs, etc... so long as there aren't bugs in your implementation.

      • (Score: 1) by dbot on Thursday April 24 2014, @01:50PM

        by dbot (1811) on Thursday April 24 2014, @01:50PM (#35530) Journal

        Great vid! Can't mod now, but crap. Moxie's done some fantastic work.

  • (Score: 5, Interesting) by gman003 on Wednesday April 23 2014, @03:53PM

    by gman003 (4155) on Wednesday April 23 2014, @03:53PM (#34958)

    The OpenBSD team, and Theo de Raadt in particular, seem to have an undeserved reputation for being assholes. As a long-time OpenBSD user, that's not quite true.

    They have a strict set of priorities that are a bit of a minority. The put security as #1 - insecure code is never better than secure code. In service of priority #1, they emphasize general code quality, documentation, and limitation of scope (the best example being how little is installed by default in OpenBSD).

    They are ruthless in pursuit of security, and more than a little bit paranoid, but here's the thing - they were right. And they don't do security theater - when they do something in the name of security, it's always something that actually works.

    They're actually a fairly welcoming culture as long as you have those same priorities, or at the very least don't try to change them. If you want to use OpenBSD as a desktop OS, they'll help you out (I got very basic n00b-user advice on using USB flash drives from Theo himself, way back in the day). The only times I've seen them get angry are when people try to change those priorities (eg. tell them they need to do X to make it easier t use), or when someone tries to play politics.

    So we have a group that is ruthlessly security-oriented, paranoid but rationally so, and has plenty of experience in the security field. Is there any reason not to celebrate them taking charge of fixing what is, by all accounts, a shoddy SSL implementation? And if they need to fork it to do so, why not? The code is still public - if the OpenSSL team wants it, they can merge it back in. They're simply bypassing the OpenSSL leadership - which, I remind you, let the code get into the state it is now.

    • (Score: 3, Interesting) by len_harms on Wednesday April 23 2014, @05:40PM

      by len_harms (1904) on Wednesday April 23 2014, @05:40PM (#35029) Journal

      We shall see what they come up with. For now I am cautiously optimistic about it.

      Right now they are swinging at the low hanging fruit (you can see it in the changelogs which are semi funny to read btw). Dropping support for compilers that no one sells anymore. Using functions which were unreliable a few years ago between compilers. Such as you need to worry about things like how some standard CRT functions handled its parameters as VS may do one thing and metrowerks another and GCC a third.

      They have narrowed the scope and dropped old platforms. This is a good thing for that project. It should get real interesting when they really dig in and refactor the code. Right now they are at the 'take everything out of the room and replace the nasty carpet and put it all back' clean up stage. Should get good when they start deciding what the new API looks like. It gives them a good lay of the land and what is really necessary and what can go.

  • (Score: 4, Interesting) by michealpwalls on Wednesday April 23 2014, @04:07PM

    by michealpwalls (3920) on Wednesday April 23 2014, @04:07PM (#34968) Homepage Journal
    My favourite part is this little gem right here:

    "The Open Source model depends [on] people being able to read the code. It depends on clarity. That is not a clear code base, because their community does not appear to care about clarity. Obviously, when such cruft builds up, there is a cultural gap."

    So true, it hurts! These guys are my heroes! I esp. like how they don't even slightly care what the webpage looks like... They will actually focus on the product before a fluffy webpage to market the product.. Amazing concept, no?! Someone should drop this tid-bit of knowledge onto the Mozilla Corporation one day :)

    • (Score: 0) by Anonymous Coward on Wednesday April 23 2014, @05:31PM

      by Anonymous Coward on Wednesday April 23 2014, @05:31PM (#35022)

      Hear hear!

      (re: Mozilla)

    • (Score: 1) by BasilBrush on Wednesday April 23 2014, @05:45PM

      by BasilBrush (3994) on Wednesday April 23 2014, @05:45PM (#35033)

      I esp. like how they don't even slightly care what the webpage looks like... They will actually focus on the product before a fluffy webpage to market the product.. Amazing concept, no?!

      Ideally the people working on low-level security code will not be the same people designing a web-page.

      --
      Hurrah! Quoting works now!