> removed MacOS, Netware, OS/2, VMS and Windows build machinery
What are the plans for native Windows support? I don't know what they mean by "The right Portability team in place", but it'd be a joke if the lib would require CygWin or some other external portability scaffolding. And without proper Windows support LibreSSL will simply fragment OpenSSL user base. I guess it's still better than nothing, but it definitely won't be an OpenSSL "replacement."
FWIW the usual OpenBSD story is "get it working, reliable and simple, on (Open)BSD, then add porting shims" (they'll have to add shims for linux anyway if they start using strlcpy)
maybe it's better to switch to NSS, the original SSL library developed by Netscape (now by Mozilla, Google, etc.), that is available under better open source licenses, is used in Firefox, (Chrome), OpenOffice, etc. and has an optional compatible API to OpenSSL: http://en.wikipedia.org/wiki/Network_Security_Services
From the Pros & Cons table, it doesn't seem that NSS is obviously superior to OpenSSL. Both seem to suffer from focus on extra features instead of maintenance and reliability.
The reasoning there is, certainly post-Heartbleed, very scary. Their conclusion boils down to that they want to use the system-provided OpenSSL on Android, rather than shipping NSS.
This might be fine if you're running a Nexus device that still gets updates to the latest Android (Nexus 4 and later?). But for everyone else, that's effectively forcing people to get a new Android phone if they don't want to get stuck with a horribly insecure phone.
In the doc, Google says NSS would need to be added to the base Android image.. so it's not going to be updated any faster than openSSL.
When powering WebView, Chromium on Android uses the Android system-provided OpenSSL library - something not available to applications building with the Android NDK (like Chrome for Android or other Chromium-based Android applications). This helps reduce memory usage by having a single shared library in memory. To accomplish this with NSS, NSS would have to be part of the Android base image - which would still increase memory usage, as most other Android (native) services would still use OpenSSL.
It says "On Android, Chromium uses OpenSSL." in the background section. The question is whether they want to switch other platforms to OpenSSL (or Android to NSS, or keep using both).
"Both seem to suffer from focus on extra features instead of maintenance and reliability."
Unfortunately in the SSL/TLS world, true security is a product of both, as minor flaws in the actual protocol itself are a common enough discovery to make the introduction of new "features" often quite key to the security of the implementation.
I don't see why this product would have a different porting strategy to the usual way OpenBSD projects (such as OpenSSH) handle it - target OpenBSD exclusively in the core project, and support other platforms with ports. Presumably that's what they are going to do here.
Probably none. Windows has its own CSP library which is a little more convenient in a win32 context than OpenSSL or anything POSIX TBH. I think they're doing the right thing here.
There's a ton of Windows software that uses OpenSSL as their security library. Moreover, there is a lot of Windows projects that are written in inherently portable way and using OpenSSL API is the most natural choice for them.
If StartSSL manages to topple OpenSSL and to discourage any further OpenSSL development, then that'd be a very bad thing for a lot developers.
Windows is just a little too different for them to make a proper purge of the project right now. Having Windows support is just a much larger cross-cutting concern than a Unix-like OS, which appears to be the only category of operating system they're currently supporting.
Windows will probably get a port some time later on. Remember that OpenSSH's libssh also has Windows support. It's just not something that fits in their current short term goals of fixing up OpenSSL (I like the term flensing they're using).
Well I disagree. Whilst it's a natural choice for portability, when you port to a proprietary platform such as windows you lose a lot of the support and portability guarantees that POSIX gives you and the calling conventions and standards of many libraries. At this point it's advisable to pick a holistic 3rd party abstraction over this such as something right from APR to Qt that will abstract the platform specific implementation away.
Some people write a lot of stuff plugged into Win32 without considering the CSPs and pull in OpenSSL without thought. Their funeral.
As my father said: "when in France, talk French or hire a translator".
This is all great, but the fact remains that OpenSSL is very widely used on Windows and yanking it out without providing a drop-in replacement option is a bad idea.
We can debate finer nuances of proper abstraction to the death, but it doesn't move a needle for people who already have OpenSSL dependencies in their code.
No one is yanking OpenSSL, this is a fork. OpenSSL is still available and developed and windows apps can continue using it.
If windows (and any other non-OpenBSD OS to be honest) people just HAVE to have LibreSSL instead of OpenSSL on their OS then the donation link is at the bottom of the page.
For right now, it does not matter. Their goal is to fix the project from a security point of view, and it would be impossible if they tied their hands with that during the course of development.
In the future, you can expect the same deal as OpenSSH, OpenNTPD and all the other OpenBSD software that _eventually_ gets ported to other architectures when it reaches a point of stability and safety that it makes sense to do so.
If you follow that through the series of links, you find that it is just an assumption based on one guy who didn't know the project existed thinking unchanged = unmaintained.
Are you sure? There hasn't been a release for 8 years.
I followed the links a while ago after hitting an intialization failure bug that leaves Linux boxes with the incorrect date. I found that neither Arch Linux or Redhat consider OpenNTPD to be supported on Linux.
It would be good if you could explain what I am missing. If there are more recent Linux releases and the information on the Redhat bug tracker is incorrect I would like to know. I'd rather be running OpenNTPD than ntpd.
I don't expect them to support Windows, you misunderstand the whole concern.
The concern is that OpenBSD fellas are fragmenting the project and they are also asserting that OpenSSL team was doing things wrong for a long time. This is not a start of a beautiful friendship. Throw in a bit of crowd lynching (to the tune of "OpenBSD is showing OpenSSL how to do security right") and we can end up with OpenSSL devs showing a finger and throwing in a towel. At best, we'll have to related SSL implementations, devs of which don't really talk to each other. That's the issue.
People have been saying that OpenSSL has been of poor quality [1], that the documentation is bad [2], and the developers don't really listen [3] for years. Heartbleed was just the straw that broke the camel's back. OpenSSL really was one of those pieces of software that was Just Good Enough that people tolerated it, but at the same time, filled them with a desire to punch kittens whenever they had to code with it.
The devs can probably at least be mature enough to use each others code where it is compatible. More to the point, there's really only a couple of full time OpenSSL devs, and the others are more contributors, for whom I'd imagine switching to a better laid out, less buggy, less spaghetti-codey, more practical implementation would be an advantage.
> The concern is that OpenBSD fellas are fragmenting the project and they are also asserting that OpenSSL team was doing things wrong for a long time.
Fragmenting? Aren't they making a separate, alternative implementation?
Either way, the whole open source field is chock-full of "fragmentation", with countless precious little snowflakes rushing to fork and re-implement anything and everything under the sun to get it just the way they want it. I doubt whatever fragmentation might happen with OpenSSL is a cause for concern, especially when the OpenSSL codebase is objectively bad.
> There's a ton of Windows software that uses OpenSSL
And those projects can upgrade to the heartbleed-patched version of OpenSSL and keep going. If LibreSSL eventually makes it to Windows, they can switch.
Ehh, I maintain a few libs that rely on the OpenSSL Windows ports. I'm not too keen on writing a compatibility layer that says "if windows, use the MS version, else use libreSSL!"
I'm fine with them not supporting MSVC in the build, but is it really that much harder to support something like MinGW/MSYS? No need for Cygwin.
The whole point of OpenSSL was that it runs everywhere. If we're going to write a shiny new version, let's at least try to hit the major platforms.
I imagine that's what the supported option is going to be. Given that the OpenSSH documentation explicitly lists Cygwin as the way to run it for windows, similar will probably happen for LibreSSL. The OpenBSD team has always had another team handle porting of their libraries, and they do a pretty good job of it.
Its not a replacement for OpenSSL, OpenSSL will continue to exists as it is, but in a while when libressl is stable enough you can choose on or the other.
What are the plans for native Windows support? I don't know what they mean by "The right Portability team in place", but it'd be a joke if the lib would require CygWin or some other external portability scaffolding. And without proper Windows support LibreSSL will simply fragment OpenSSL user base. I guess it's still better than nothing, but it definitely won't be an OpenSSL "replacement."