A lot of Linux people have the impression that LibreSSL is largely incompatible with OpenSSL (not true), that the ABI breaks every six months (not true), or that it requires heavy patching of downstream software work to maintain (not true anymore).<p>Here's a recent presentation about LibreSSL and some of those points: <a href="https://www.youtube.com/watch?v=bF1d_aCSzS0" rel="nofollow">https://www.youtube.com/watch?v=bF1d_aCSzS0</a><p>Years ago there was also a big article from Alpine, one of the distros that tried to switch to it and had to switch back. The now-outdated article seems to be the main citation for those opposed to even giving LibreSSL a chance now. In fact Alpine is reconsidering a switch back from OpenSSL after the 3.x branch was shown to be such a disaster.<p>One of the LibreSSL developers summarized this recent OpenSSL issue in a commit message worth reading: <a href="https://marc.info/?l=openbsd-ports-cvs&m=166731803502387&w=2" rel="nofollow">https://marc.info/?l=openbsd-ports-cvs&m=166731803502387&w=2</a>
If I recall, back when HeartBleed hit, the OpenSSL Project only had 1 FTE worth of paid developers & managers working on their code.<p>Wikipedia claims that (<i>as of 2019</i>) they have 2 FTE's worth, plus a dozen or so volunteers...who are a big overlap with their management committee. And their total budget is < $1M/year.<p>Not to suggest that volunteer coders are automatically lesser coders...but for widely-used, uber-critical, uber-complex code, that sounds pretty profoundly under-resourced.<p>Edit: Adding the full quote from Wikipedia: "As of May 2019,[7] the OpenSSL management committee consisted of 7 people[8] and there are 17 developers[9] with commit access (many of whom are also part of the OpenSSL management committee). There are only two full-time employees (fellows) and the remainder are volunteers."
I haven't really stayed up to date, but I recall the primary issue with openssl at the time of heartbleed was that it was basically a poorly manned project with little funding, yet billions of people rely on it daily. Has that situation changed at all since? It's ironic the OP laments them "not learning lessons" since heartbleed, but if there was any lesson to learn it is that if everyone is going to rely on a piece of software it should get some love from the broader community. It's good he found it but his harsh scolding tone is unfair given the situation...unless openssl has multiple SV salaried employees working full-time on it by now.
I find it odd that Google's oss-fuzz didn't find this a long time ago.<p><a href="https://github.com/google/oss-fuzz/blob/master/projects/openssl/build.sh" rel="nofollow">https://github.com/google/oss-fuzz/blob/master/projects/open...</a>
A bit funny, a software library focused on cryptography, where security is an afterthought rather than proactive effort.<p>I would consider the alternatives before going to OpenSSL.
Isn't openssl included in the oss-fuzz project? If hanno caught it this quickly with his fuzzer, would seem to be surprising if they didn't also.
I'm reminded of ESR's quip "given enough eyeballs, all bugs are shallow." And that's often true for projects that have obvious functionality and for which you're not worried about cross cutting concerns like security or safety. I just remember a decade of working with federal contractors trying to disabuse them of the idea that they could just grab some random code off the internet and assume it was coded well enough to avoid simple, impactful vulnerabilities.
An example of proven correct networking code:<p><a href="https://www.microsoft.com/en-us/research/blog/project-everest-advancing-the-science-of-program-proof/" rel="nofollow">https://www.microsoft.com/en-us/research/blog/project-everes...</a><p>This is the future.
I once added a "very simple" string manipulation utility function that was "obviously correct" and "didn't need any tests", then pushed directly to master. Suffice to say I don't do that any more.