What changed in OpenSSL after heartbleed

I&#x27;d be more interested in a comparison in the strategies used to harden the codebase in the forks like BoringSSL and LibreSSL, and how well those strategies have panned out.<p>There has historically been some crowing from the LibreSSL crowd about how their work avoided CVE&#x27;s later discovered in OpenSSL: <a href="https:&#x2F;&#x2F;undeadly.org&#x2F;cgi?action=article&amp;sid=20150319145126" rel="nofollow">https:&#x2F;&#x2F;undeadly.org&#x2F;cgi?action=article&amp;sid=20150319145126</a>

Code quality and hygiene mean absolutely nothing if you have a large number of academic types who use OpenSSL as the dumping ground for their pet research projects, that are enabled by default, of course.<p>Also, OpenSSL supports all kinds of ancient esoteric platforms that are essentially unused, yet were kept in the code base for sentimental reasons.<p>The real metric they should be looking at is the number of features&#x2F;platforms&#x2F;LOC removed from the project. Less code = less surface areas for exploits.

I&#x27;m glad there have been changes to the project. Heartbleed was certainly bad, but I personally never understood getting behind LibreSSL. Seeing one bad vulnerability from an established project and immediately jumping ship to a brand new one with less eyes and reputation seemed hasty to me.

This made me think of BoringSSL and LibreSSL again.<p>Looking up on Wikipedia it seems that LibreSSL is focused on OpenBSD and removed lots of legacy code. BoringSSL (Google) got renamed to Tink but I couldn&#x27;t not find much more.<p>It&#x27;s sad to see that duplication of effort but it&#x27;s also the force of open source

For random reasons I can&#x27;t read the full article but I wonder if they discuss the impact of LibreSSL on OpenSSL itself. Would anyone who moved to LibreSSL actually look back to OpenSSL today in 2020? Honest question as I&#x27;m not a crypto professional myself.

OpenSSL recently passed a change in their vuln announcement policy to give a major firm, which everyone here knows I think, 7 days advance notice of any zero-day that they were made aware of.<p>This was the engineer who helped set up the new policy: <a href="https:&#x2F;&#x2F;awe.com" rel="nofollow">https:&#x2F;&#x2F;awe.com</a><p>To be honest, maybe it&#x27;s a good idea. It depends on how much support Huawei is willing to give OpenSSL.

What&#x27;s the current market share of OpenSSL vs LibreSSL vs alternatives?