I'd be more interested in a comparison in the strategies used to harden the codebase in the forks like BoringSSL and LibreSSL, and how well those strategies have panned out.<p>There has historically been some crowing from the LibreSSL crowd about how their work avoided CVE's later discovered in OpenSSL: <a href="https://undeadly.org/cgi?action=article&sid=20150319145126" rel="nofollow">https://undeadly.org/cgi?action=article&sid=20150319145126</a>
Code quality and hygiene mean absolutely nothing if you have a large number of academic types who use OpenSSL as the dumping ground for their pet research projects, that are enabled by default, of course.<p>Also, OpenSSL supports all kinds of ancient esoteric platforms that are essentially unused, yet were kept in the code base for sentimental reasons.<p>The real metric they should be looking at is the number of features/platforms/LOC removed from the project. Less code = less surface areas for exploits.
I'm glad there have been changes to the project. Heartbleed was certainly bad, but I personally never understood getting behind LibreSSL. Seeing one bad vulnerability from an established project and immediately jumping ship to a brand new one with less eyes and reputation seemed hasty to me.
This made me think of BoringSSL and LibreSSL again.<p>Looking up on Wikipedia it seems that LibreSSL is focused on OpenBSD and removed lots of legacy code. BoringSSL (Google) got renamed to Tink but I couldn't not find much more.<p>It's sad to see that duplication of effort but it's also the force of open source
For random reasons I can't read the full article but I wonder if they discuss the impact of LibreSSL on OpenSSL itself. Would anyone who moved to LibreSSL actually look back to OpenSSL today in 2020? Honest question as I'm not a crypto professional myself.
OpenSSL recently passed a change in their vuln announcement policy to give a major firm, which everyone here knows I think, 7 days advance notice of any zero-day that they were made aware of.<p>This was the engineer who helped set up the new policy: <a href="https://awe.com" rel="nofollow">https://awe.com</a><p>To be honest, maybe it's a good idea. It depends on how much support Huawei is willing to give OpenSSL.