Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Sunday May 18 2014, @05:44AM   Printer-friendly
from the got-your-acronyms-here dept.

Bob Beck who is an OpenBSD, OpenSSH, and LibreSSL developer as well as the director of Alberta-based non-profit OpenBSD Foundation gave a talk earlier today at BSDCan 2014 in Ottawa, discussing and illustrating the OpenSSL problems that have led to the creation of a big fork of OpenSSL that is still API-compatible with the original, providing a drop-in replacement, without the #ifdef spaghetti and without its own "OpenSSL C" dialect.

Bob is claiming that the Maryland-incorporated OpenSSL Foundation is nothing but a for-profit front for FIPS consulting gigs, and that noone at OpenSSL is actually interested in maintaining OpenSSL, but merely adding more and more features, with the existing bugs rotting in bug-tracking for a staggering 4 years (CVE-2010-5298 has been independently re-discovered by the OpenBSD team after having been quietly reported in OpenSSL's RT some 4 years prior).

Bob reports that the bug-tracking system abandoned by OpenSSL has actually been very useful to the OpenBSD developers at finding and fixing even more of OpenSSL bugs in downstream LibreSSL, which still remain unfixed in upstream OpenSSL.

It is revealed that a lot of crude cleaning has already been completed, and the process is still ongoing, but some new ciphers already saw their addition to LibreSSL RFC 5639 EC Brainpool, ChaCha20, Poly1305, FRP256v1, and some derivatives based on the above, like ChaCha20-Poly1305 AEAD EVP from Adam Langley's Chromium OpenSSL patchset.

To conclude, Bob warns against portable LibreSSL knockoffs, and asks the community for Funding Commitment -- the Linux Foundation is turning a blind eye to LibreSSL, and instead is only committed to funding OpenSSL directly, despite the apparent lack of security-oriented direction within the OpenSSL project upstream. Funding can be directed to the OpenBSD Foundation.

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Flamebait) by Hairyfeet on Sunday May 18 2014, @07:02AM

    by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Sunday May 18 2014, @07:02AM (#44794) Journal

    Kinda hard to be surprised they aren't getting funding when they think Comic Sans is fine for a presentation.

    --
    ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
    Starting Score:    1  point
    Moderation   -1  
       Flamebait=2, Insightful=1, Total=3
    Extra 'Flamebait' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   1  
  • (Score: 4, Informative) by melikamp on Sunday May 18 2014, @07:24AM

    by melikamp (1886) on Sunday May 18 2014, @07:24AM (#44799) Journal
    From the presentation:

    "Weaponized" Comic Sans:
    "This page scientifically designed to annoy web hipsters - donate now"
    Actually quite sad that far more people will express their outrage over the use of Comic Sans on a web site than reading the asn1 code and expressing their outrage over that.
    Having said that we did get a nice amount of Paypal donations when I put that up.

    • (Score: 1) by Refugee from beyond on Sunday May 18 2014, @09:46AM

      by Refugee from beyond (2699) on Sunday May 18 2014, @09:46AM (#44815)

      >"This page scientifically designed to annoy web hipsters - donate now"

      That's hardly professional attitude, though.

      --
      Instantly better soylentnews: replace background on article and comment titles with #973131.
      • (Score: 2) by Nerdfest on Sunday May 18 2014, @02:12PM

        by Nerdfest (80) on Sunday May 18 2014, @02:12PM (#44870)

        Having a sense of humour in a presentation is hardly unprofessional. It's also great marketing most of the time as it gets some attention, and in this case, likely attention from the correct audience.

        • (Score: 1) by Refugee from beyond on Sunday May 18 2014, @02:23PM

          by Refugee from beyond (2699) on Sunday May 18 2014, @02:23PM (#44876)

          Calling names is, though.

          --
          Instantly better soylentnews: replace background on article and comment titles with #973131.
          • (Score: 1) by steveha on Monday May 19 2014, @07:45AM

            by steveha (4100) on Monday May 19 2014, @07:45AM (#45123)

            Calling names is [unprofessional]

            Yeah. I watched the YouTube video of the presentation, and I'm of two minds about it. On the one hand, it's kind of unprofessional to just keep slamming the OpenSSL guys. On the other hand... it seems like the OpenSSL guys really deserve all the abuse. (Horrible security issues languishing for four years, unfixed? WTF?)

            I have to agree that the OpenSSL situation was so dire that a hostile fork really was justified. I'm cheering for the LibreSSL guys, and I look forward to future presentations where they will talk more about cool technical security stuff and not so much about how truly awful OpenSSL was.

            • (Score: 0) by Anonymous Coward on Monday May 19 2014, @10:36AM

              by Anonymous Coward on Monday May 19 2014, @10:36AM (#45158)

              The name calling mentioned by GP is probably in relation to the word hipster being used to describe the GPer. The presentation doesn't attack any OpenSSL developer. Either directly or as a group. It does mention that their code is crap, which is an objective truth. And points to a possible reason: OpenSSL inc. which again does objectively exist and it does what it does. If they or someone by proxy feel offended, they are free to change jobs. OpenSSL inc. doesn't have them as slaves, I suppose.

    • (Score: 2) by maxwell demon on Sunday May 18 2014, @10:04AM

      by maxwell demon (1608) on Sunday May 18 2014, @10:04AM (#44818) Journal

      If all you want is to annoy web hipsters, then all you have to do is to use HTML without any fancy CSS. Use basic HTML items, let the browser choose colours and fonts, use nothing than bare HTML. This will annoy web hipsters without annoying almost everyone else.

      --
      The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 2) by kaszz on Sunday May 18 2014, @12:35PM

        by kaszz (4211) on Sunday May 18 2014, @12:35PM (#44845) Journal

        Web hipsters can donate money for computer upgrades to read their mudpool of fluff. Here on it will be HTML v2 if lucky and hey it just works :P

  • (Score: 0) by Anonymous Coward on Sunday May 18 2014, @07:33AM

    by Anonymous Coward on Sunday May 18 2014, @07:33AM (#44801)

    So you prefer funding incapable people without comic sans? People like you always need to find something to whine about, if one thing doesn't matter than it's what font they use. There's a lot at stake so just be happy someone is doing something about this mess.

    • (Score: 2) by maxwell demon on Sunday May 18 2014, @10:13AM

      by maxwell demon (1608) on Sunday May 18 2014, @10:13AM (#44822) Journal

      The authors acting childish in one respect doesn't exactly induce trust in them acting professionally otherwise. Which is especially relevant in questions of security-related code.

      --
      The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 2) by kaszz on Sunday May 18 2014, @12:40PM

        by kaszz (4211) on Sunday May 18 2014, @12:40PM (#44847) Journal

        Acting incompetent is so much better. Given that LibreSSL cleans the mess up for free. They also ought to earn the right to mock the predecessors a bit.

        • (Score: 2) by omoc on Sunday May 18 2014, @12:45PM

          by omoc (39) on Sunday May 18 2014, @12:45PM (#44849)

          Especially if you read this on the OpenSSL page:

          > "Please note that the OpenSSL Software Foundation (OSF) is incorporated in the United States as a regular for-profit corporation."

          • (Score: 2) by kaszz on Sunday May 18 2014, @12:55PM

            by kaszz (4211) on Sunday May 18 2014, @12:55PM (#44852) Journal

            Do shit to the public at large and get mocked for it. News at 11 - READ ALL ABOUT IT! :D
            Same as for Microsoft, same for OpenSSL etc..

        • (Score: 2) by maxwell demon on Sunday May 18 2014, @12:53PM

          by maxwell demon (1608) on Sunday May 18 2014, @12:53PM (#44851) Journal

          I don't see the connection between mocking the predecessors and intentionally making their web page ugly.

          --
          The Tao of math: The numbers you can count are not the real numbers.
          • (Score: 2) by omoc on Sunday May 18 2014, @01:53PM

            by omoc (39) on Sunday May 18 2014, @01:53PM (#44863)

            If you can't do something right, at least do it badly. That's the credo of OpenSSL in general and the Webpage of LibreSSL.

      • (Score: 0) by Anonymous Coward on Sunday May 18 2014, @02:06PM

        by Anonymous Coward on Sunday May 18 2014, @02:06PM (#44866)

        I'd say 25-40k$ so far for using comic sans with the donation hint was well worth it. But go on complaining please

        • (Score: 2) by maxwell demon on Sunday May 18 2014, @03:34PM

          by maxwell demon (1608) on Sunday May 18 2014, @03:34PM (#44890) Journal

          You have any indication that this amount of money was spent because of Comic Sans?

          For all we know, it might as well have been ten times as much if they hadn't used Comic Sans. Unfortunately we don't have access to an alternative reality to compare the numbers.

          --
          The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 2) by gman003 on Sunday May 18 2014, @03:36PM

        by gman003 (4155) on Sunday May 18 2014, @03:36PM (#44891)

        They're making a point - fixing the code is much more important than having a fancy website, so they put up an extremely simple website. To demonstrate that they are focused on the codebase rather than marketing, they used a few things that modern designers claim is the Worst Thing Ever - Comic Sans, blink tags, marquee tags.

        • (Score: 2) by maxwell demon on Sunday May 18 2014, @03:46PM

          by maxwell demon (1608) on Sunday May 18 2014, @03:46PM (#44898) Journal

          There's nothing wrong with setting up an extremely simple web site. But they really should not have added those negative things. There's a huge difference between just not making it pretty, and actively making it ugly.

          Indeed, even if the time they put in it has not been large, it still is true that the time they invested into thinking which part might blink would better have been invested in the code. That is, by actively making the site intentionally ugly they actually counteract the very point.

          --
          The Tao of math: The numbers you can count are not the real numbers.
          • (Score: 0) by Anonymous Coward on Sunday May 18 2014, @04:35PM

            by Anonymous Coward on Sunday May 18 2014, @04:35PM (#44918)

            meet maxwell demon (1608) the pissed off web hipster

            • (Score: 2) by maxwell demon on Sunday May 18 2014, @05:11PM

              by maxwell demon (1608) on Sunday May 18 2014, @05:11PM (#44933) Journal

              Ah, an ad hominem, the resort of those who ran out of arguments.

              --
              The Tao of math: The numbers you can count are not the real numbers.
              • (Score: 0) by Anonymous Coward on Sunday May 18 2014, @07:26PM

                by Anonymous Coward on Sunday May 18 2014, @07:26PM (#44972)

                It's more like you don't get it, so any argument is pointless. But sure, lets all be annoyed by the look of that website than the quality of the code they're fixing for us

                • (Score: 2) by maxwell demon on Sunday May 18 2014, @07:55PM

                  by maxwell demon (1608) on Sunday May 18 2014, @07:55PM (#44982) Journal

                  Oh, so just because they (promise to) do something good, you are not allowed to criticise them for something they are doing bad? That's certainly not an attitude I can relate with.

                  --
                  The Tao of math: The numbers you can count are not the real numbers.
                  • (Score: 2) by Hairyfeet on Sunday May 18 2014, @08:17PM

                    by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Sunday May 18 2014, @08:17PM (#44989) Journal

                    Sadly I see this waaay too often from the FOSS camp, its the "its free so you can't complain" argument and to which i always respond "So if somebody offers you a free sandwich and then puts a side of shit on the plate that doesn't matter because its free?"

                    If they want people to give them tens of thousands of dollars for their work? A touch of professionalism really isn't too much to ask IMHO. if somebody came into my shop with a proposal and they put it in Comic Sans because "its to annoy hipsters lulz" I'd tell them "You obviously have the mentality of a 15 year old, please stop wasting my time" and show them the door...and they are shocked that the Linux foundation doesn't want to hand a couple million to them over openSSL?

                    --
                    ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
                  • (Score: 2) by hybristic on Sunday May 18 2014, @09:13PM

                    by hybristic (10) on Sunday May 18 2014, @09:13PM (#45003) Journal

                    I believe the point is, the part they are doing "badly" was completely intentional. It was part of the statement and marketing. So yes it took time away from the code development, but if they just threw up a plain html site without all the blinking and Comic Sans they couldn't have made the statement they were going for. And it's important to get a message across about what you're doing. They are saying, yeah we are bad at all this web design crap, look we even use crap fonts and scrolling text! But what we do know is security. If you are into looks and features this isn't the solution for you.

      • (Score: 2) by Hairyfeet on Sunday May 18 2014, @06:09PM

        by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Sunday May 18 2014, @06:09PM (#44951) Journal

        THANK YOU!!! If you want me to break out my CC for a SECURITY RELATED PROJECT you better damned well act like fricking pros so I know you can do the job! Would YOU trust somebody who thinks its appropriate to act like a snarky douche in a presentation where they are trying to get donations? that alone has told me this project is poorly managed and not worthy of consideration and I have no doubt shit like this is why the Linux foundation has passed on giving them funds.

        --
        ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
  • (Score: 0) by Anonymous Coward on Sunday May 18 2014, @08:28PM

    by Anonymous Coward on Sunday May 18 2014, @08:28PM (#44994)

    I've read once that politicians can discuss nuclear program for 5 minutes and then discuss whether to paint aluminium shack for their bicycles or something like that for hours because they think that they know what they're talking about (in case of shack). I think this was in "Parkinsons law".
    This SSL and comic sans discusion look oddly similar in proportions.