On 2014-06-07, Maxime Villard <m...@m00nbsd.net> wrote: > What gives LibreSSL more credibility? There's almost nothing new or > innovative in it; it's just a cleaned up copy of OpenSSL. There might > be some changes in the future, but you can be sure that LibreSSL will > lag behind OpenSSL - and most of the code will remain the same.
We'll just have to wait and see about the future, it's too early to make guesses. One thing's for sure though, new and innovative is *not* what is needed here at this point. Much of what's needed is tedious slog: removing unnecessary/dangerous pieces, finding our way around the code and commit history, discovering what areas might be harbouring lurking horrors. Look at some of the major changes that have been made to improve security in libressl so far, there are things like stopping feeding information from *private keys* to the (pluggable!) RNG subsystem and getting rid of the buf freelists (btw on that note, I found it interesting that the openssl commits refering to bugs that we ran into after removing the buf freelists are only talking about SSL_MODE_RELEASE_BUFFERS). New and innovative, definitely not, but no worse for it. > Contributing code upstream would have been a way more productive > approach; it would have given a better image of the OpenBSD team, more > credibility, and people would have been tempted to look deeper at what > those guys do, to then figure out that these things are potentially > good products. I would hope that some openssl people keep track of commits/fixes in libressl, just as some people here are keeping track of commits to openssl. I'm sure other less public-spirited people are keeping an eye on both plus doing plenty of their own research. Bugs that are found in libressl would largely *not* be found with the legacy code still in place and original indentation style; I think I speak for most OpenBSD people (and probably many others who have looked at this codebase) when I say it's distracting to the point of frustration. Too many "why on earth is it written like this" moments to be able to concentrate on the code itself.
