back to article Linux Foundation flings two full-time developers at OpenSSL

The Linux Foundation's new elite tech repair team has named its initial areas of focus as it works to find and seal holes in widely-used open source software. The Linux Foundation announced on Thursday that members of the "Core Infrastructure Initiative" (CII) will dedicate resources to working on the Network Time Protocol, …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    About time

    It's good to see (many of) the large corporations that benefit so much from Linux and OSS in general finally stepping up to the plate and funding this. It's a drop in the bucket to them, and must be far less than it's cost them to fix even one vulnerability like Heartbleed, but still welcome for all that.

  2. dwrjones87

    Quite curious as to why they don't devote the resources to LibreSSL. I've been keeping an eye on the commits and they've lead me to the conclusion that OpenSSL is a pile of crap that will never be bug free or secure unless it's completely ripped apart ala LibreSSL

    1. Destroy All Monsters Silver badge
      Facepalm

      Meanwhile, at OpenSSL

      This is sendmail levels of bad.

    2. Tom Maddox Silver badge
      Holmes

      LibreSSL

      OpenSSL is ubiquitous, and upgrading is easier than replacing. I do agree that putting resources towards a competing package would be beneficial, but that would take twice the resources (or more), and it took a major vulnerability to get significant private-sector resources for OpenSSL at all.

      Also, @DAM: Comic SAAAAAANS!

      1. Destroy All Monsters Silver badge
        Trollface

        Re: LibreSSL

        Yeah, but the content makes up for it. "AES Infinite Gerbelling Extension" And immediately thereafter "Weaponized Comic Sans: This page scientifically designed to annoy web hipsters - donate now".

        And then

        "The OpenSSL 'Foundation' is basically a FIPS consultancy - we are not. We believe this creates a priority inversion to the needs of the larger community. FIPS is actively harmful to the security of the library,... FIPS is not a goal of LibreSSL"

        This may explain why OpenSSL.

      2. Anonymous Coward
        Anonymous Coward

        Re: LibreSSL

        LibreSSL is a stripped-down fork of OpenSSL, not a from-scratch alternative. Given that the SSL protocol itself is pretty flawed, the LibreSSL approach seems like the best compromise for now.

        1. Jamie Jones Silver badge

          Re: LibreSSL

          In additon to that (dunno why you were voted down, BTW), libreSSL is intended to be an API compatible (even when it pains them to do so) drop in replacement for OpenSSL.

      3. Charlie Clark Silver badge

        Re: LibreSSL

        and it took a major vulnerability…

        That attitude in a nutshell is a part of the problem with much of the commercial approach: we won't admit it's broken till it's breached.

        The OpenBSD project was born out of an explicit need to make software as secure as possible. This doesn't guarantee security, but by making it an explicit priority they have certainly helped improve the chances of something being secure.

        Other than politics I see little reason for this move by the "Linux Foundation". Working with LibreSSL with the perspective of using it in future instead of OpenSSL would be proper infrastructure development. Unless there are licensing or technical issues that I'm not aware of.

        1. Jamie Jones Silver badge

          Re: LibreSSL

          I have to agree with Charlie here. The OpenBSD folk are likely to now be the defacto guardians of this codebase, as they are with SSH.

          I'm too puzzled by the motives of the Linux folk not getting behind a group with a proven security track record.

  3. ecarlseen

    Exactly.

    Any userland codebase that uses its own malloc needs to die.

    1. Donkey Molestor X

      Re: Exactly.

      >Any userland codebase that uses its own malloc needs to die.

      Why do you hate John Carmack? ;_;

      (cf: DooM's zone allocation daemon)

  4. Anonymous Coward
    Anonymous Coward

    It is puzzling!

    Why Microsoft ? They weren't affected by Heatbleed and they're not that interested in FOSS. I wonder what are they paying for ?

    1. Trevor_Pott Gold badge

      Re: It is puzzling!

      Herd immunity.

    2. Charlie Clark Silver badge

      Re: It is puzzling!

      Tells you a lot about the PR value of joining such an industry group. And that tells you a lot about the real aims of such a group.

  5. JLV
    Thumb Up

    Kudos to MS

    Not their biggest fan, but good to see they are chipping in.

    As to why... it is easy to deploy alternative open source packages on Windows. If it turns out to be leaky and lets in threats, MS is left picking up the pieces. A la Java on Apple if you recall Flashback (I specially recall Apple was clueless at first helping their users, but it was still Oracle's turd that opened the door).

    So hardening low-level, high-usage, OSS programs liable to be put on Windows probably lowers their own vulnerability.

    Regardless, good of MS to help out. And I note Apple's absence in CII. Not like they use much open source stuff themselves or have any cash to spare, eh?

  6. This post has been deleted by its author

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2020