OpenBSD's scorched earth policy regarding OpenSSL is so anti-community it's ridiculous. OpenSSL served the entire internet for years. I'm happy that it's been forked - nice that could even happen at all - and some of the cruft responsible for the recent flood of exploits will be fixed/removed, but the hate just seems petty.
What's petty about removing bad code? If someone came into your (work or FOSS) project and just started removing code at the clip they were, you'd probably be extremely upset. At best, it would take way too long to get the approvals by the community. They made the decision that with the changes they wanted (and in their opinion needed) to make would not be worth the politics involved. I don't blame them for that decision. As a byproduct, they are now maintainers of their own system, and as shown by OpenSSH, they are very good stewards of critical systems. Then they ported it back to Linux, and got a call added to the kernel. I wouldn't call that petty.
I think it would have been better had OpenSSL just been straight up fixed rather than forked, but can you legitimately see a way for that to have happened?
To my knowledge, the OpenBSD guys have not hated on the OpenSSL guys in any way, they have hated on the code itself, which was objectively bad code with many latent bugs. Any comments about not knowing how to write secure code resulted from what was produced: insecure code.
Nothing. But no one said anything about removing bad code.
Have you looked at that page? Their comments are extremely rude:
"So the OpenSSL codebase does “get the time, add it as a random seed” in a bunch of places inside the TLS engine, to try to keep entropy high. I wonder if their moto is “If you can’t solve a problem, at least try to do it badly”."
"Old news, but OpenSSL doesn’t give a fuck whether or not memory was freed. It’s all good."
It's hostile, unprofessional, and unnecessary. I understand these kinds of comments in a private IRC channel or something, but publicly ridiculing someone else's software, especially mission critical software that's been used for years across many platforms, is uncalled for.
It really gave me a bad taste for the LibreSSL project, and all just for some petty sniping.
It might be "unprofessional" which is to say, it's not polite (and since they're giving it away - why would it be "professional" -- they're not (necessarily) getting paid for the work) -- but it's not really disproportionately hostile, and most of all, I disagree that it's "unnecessary".
As evidenced in part by recent security issues, and in part by what the libressl project has dug up/cut away: the code base was horrid for the purpose (providing authentication and confidentiality). Much worse than merely "not good".
I think the (rightfully) hostile attitude helps others realize just how bad things were/are. And I welcome it. I'm sure a few developers are hurt by the comments, but all of your quotes above are pretty much factual and concrete: it's not name calling for the sake of being rude; it's a wake-up call. I'd be surprised if not a few "victims" of those comments aren't also glad that errors are both found and pointed out. Just as if you hacked together a not-quite working break system for a car, you'd prefer being called out as a hack, and someone fixing it, rather than having lots of people get hurt. The stakes involving openssl can actually be life or death.
So being rude is what you do if it's "important" and the other party didn't have an optimal solution?
Looking at the long history of openbsd and some similar projects, I think being rude like that is what you do when you're too far on to the spectrum to effectively articulate an argument. It probably has something to do with lack of empathy as well... There are very real reasons why their project and user base is the size it is.
> So being rude is what you do if it's "important" and the other party didn't have an optimal solution?
No, being direct is what you do if it's important. I agree that the above quotes aren't polite, but I don't think they're terribly rude. If I publish half-assed code that is hopelessly structured (even if there are reasons for it; "There's too much old cruft", "I don't have time to ...") -- I wouldn't mind getting called on my bullshit. If you suck, and someone point out to you, that you do, in fact suck -- then you should thank that someone.
Sure, it might be nicer if they're polite about it -- but it's really not that big of a deal.
Agreed. There is a place to be gentle towards others' code, but security is one of the areas where we shouldn't care a mote about developers' feelings, only about the quality of the code.
I work on an open source project in my dayjob, and I can tell you I'd be far less inclined to work with an individual who curses at other developers and makes tons of disparaging comments about my work or the work of others. It creates a hostile and unwelcoming environment, which is not the kind of environment I want to be in.
Good news in this case: you're not obliged to subscribe to source-changes@openbsd.org. Nor is anybody else... you don't even have to dig the archives or the third party blogs that publicize the commits.
But those who follow the commits know that the developers like to express their minds in the commit messages whether it is bad code written by one of them or somebody else. They're not targetting and publicly shaming some project while throwing insults straight at developers.
But there was no cursing at other developers in the above quotes? It was some mild (and justified) ridicule. And an implication that they didn't give a fuck -- which might be a little crude. But it's kind of hard to argue that it might not be accurate criticism.
It may be hostile and unprofessional, but it is necessary. Given the OpenBSD developer have been able to pull a number of important patches directly from the OpenSSL bug tracker and fix issues in LibreSSL, it's clear that polite and professional didn't work either.
Would you have known that parts of the OpenSSL code base was so badly (and unprofessionally ) implemented if the OpenBSD developers hadn't been somewhat aggressive?
It's punishment, it's shamming, and it is absolutely necessary. It will discourage poor programmers and great programmers who don't know enough about security from half-assing critical software.
Scorching the earth is the right thing to do. OpenSSL is the sick man of the internet and its community has been dysfunctional to non-functional for years, much like its code. The massive injection of money won't solve that problem in the long term. The security patches ought to be integrated with LibreSSL immediately, not after an embargo period dictated by the vendors who have essentially bought out OpenSSL.
Well, it gave the entire Internet a false sense of security for years, at least.
> …the hate just seems petty.
Have you read some of the cruft that the LibreSSL guys removed? OpenSSL has been a horrid mess. Sometimes you gotta admit that a Yugo is a really, really, really bad car.
False sense of security? They provided the best SSL stack for years, and for free. Everybody knew for long that OpenSSL was a mess, and the harsh reality is that no one wanted to take care of it beside the few (almost benevolent) OpenSSL developers.
So now, the OpenBSD guys come in with their almighty attitude, while they knew about it for years and didn't bother to do anything about it before. No one wanted to do that job before Heartbleed, so yeah, it's really uncalled for to be that rude. We should all be grateful the OpenSSL team did what they did for so long.
Even the OpenBSD people seem to think it's a car worth keeping, just in need of an engine overhaul and better maintenance. They didn't throw out OpenSSL and write their own SSL library (like they have with other things), but rather forked it and cleaned it up.
