SoylentNews is people
SoylentNews
Submission Preview
Bob Beck gives a 30-day status update on LibreSSL
Accepted submission by cnst http://cnst.su/
at 2014-05-17 22:49:44
Bob is claiming that the Maryland-incorporated OpenSSL Foundation is nothing but a for-profit front [openbsd.org] for FIPS consulting gigs, and that noone at OpenSSL is actually interested in maintaining OpenSSL, but merely adding more and more features, with the existing bugs rotting in bug-tracking for a staggering 4 years [openbsd.org] (CVE-2010-5298 [mitre.org] has been independently re-discovered by the OpenBSD team after having been quietly reported in OpenSSL's RT some 4 years prior). Bob reports that the bug-tracking system abandoned by OpenSSL has actually been very useful [openbsd.org] to the OpenBSD developers at finding and fixing even more of OpenSSL bugs in downstream LibreSSL, which still remain unfixed in upstream OpenSSL. It is revealed that a lot of crude cleaning has already been completed [openbsd.org], and the process is still ongoing, but some new ciphers [openbsd.org] already saw their addition to LibreSSL — RFC 5639 EC Brainpool [bxr.su], ChaCha20 [bxr.su], Poly1305 [bxr.su], FRP256v1, and some derivatives based on the above, like ChaCha20-Poly1305 AEAD EVP [bxr.su] from Adam Langley's Chromium OpenSSL patchset.
To conclude, Bob warns against portable LibreSSL knockoffs [openbsd.org], and asks the community for Funding Commitment [openbsd.org] — Linux Foundation is turning a blind eye to LibreSSL, and instead is only committed to funding OpenSSL directly, despite the apparent lack of security-oriented direction within the OpenSSL project upstream. Funding can be directed to the OpenBSD Foundation [openbsdfoundation.org].
If the thunder don't get you, then the lightning will.
