"Network Time Protocol, OpenSSH and OpenSSL first projects to receive support; Open Crypto Audit Project to conduct security audit of OpenSSL"
Just give the money to the OpenBSD team. We saw with OpenSSH that they have a proven track record taking crappy security software and fixing it. Why does everyone have this aversion to giving the OpenBSD team the funding they deserve?<p>And "Theo's a dick" doesn't qualify as a valid reason to not fund real security development. For the work those guys have done improving the security infrastructure of every operating system (they lead, others followed), the entire team deserves to be well-off dicks. It's to me the ultimate highlight of OSS's funding problem. People make millions/billions of dollars off of this software, and nobody ever contributes any of that back to the shoulders they stood on to make that happen.
When the missing funding of OpenSSL was discussed, it came up several times, that OpenSSH, while doing great, is quite underfunded, too. I am glad to see them getting some money.<p>What i can't really comment on myself, but am reading from the OpenBSD guys is, that the OpenSSL team does quite well with FIPS consulting and has no increased interest in improving the library.[0]<p>Even if those claims are not true, it would be nice to see several other TLS libraries (GnuTLS, LibreSSL etc.) getting sponsored to get some healthy competition. Maybe, they could even directly compete for shares of the funding by the Linux Foundation in some way.<p>[0]: <a href="http://www.openbsd.org/papers/bsdcan14-libressl/mgp00008.html" rel="nofollow">http://www.openbsd.org/papers/bsdcan14-libressl/mgp00008.htm...</a>
I'm actually looking forward to seeing how the OpenSSL problem will deal with their own legacy code, compared to how the OpenBSD developers have handled it.<p>It seems that own of the only ways of dealing with the OpenSSL code is to strip out the code for a large number of, should we say "less used platforms". Is the OpenSSL developers willing to drop support for 16 bit Windows or OpenVMS?
I skimmed, but cannot seem to see which project is being supported when they say NTP.<p>When you support the OpenBSD Foundation you support:<p>- OpenBSD
- OpenSSH
- OpenBGPD
- OpenNTPD
- OpenSMTPD
- LibreSSL<p>The wording makes me think that the initiative will be supporting something other than OpenNTPD
If OpenSSL software foundation is a for profit operation, why are tech companies funding it(1) instead of LibreSSL?<p>1: <a href="http://arstechnica.com/information-technology/2014/04/tech-g.." rel="nofollow">http://arstechnica.com/information-technology/2014/04/tech-g...</a>.
This is great news. NTP is one of the least appreciated OSS projects. Harlan and the rest of the ntp dev team are very helpful and deserve a lot of respect for keeping the clocks on time. I can only hope that increased ntp funding/awareness/development means that <i>BitKeeper</i> (not a typo) is finally replaced by git/mercurial.
How do code security audits actually work? Are various well-experienced people just combing through the code and trying to break it? Or is there a more formal process?
It is possible the OpenSSH funding, since it is done through the OpenBSD Foundation, could, at the Foundation's discretion, go toward LibreSSL, since it's the same group.
Having "Huawei" as one of the backers does not create confidance. Recent news shows that they had there hardware backdoored.<p><a href="https://duckduckgo.com/?kh=1&q=Huawei&sites=www.schneier.com%2Fblog" rel="nofollow">https://duckduckgo.com/?kh=1&q=Huawei&sites=www.schneier.com...</a>