Of Money, Responsibility, and Pride

This is a mistake. The Apache foundation doesn&#x27;t sell $250&#x2F;hour consulting gigs for its primary source of revenue. Neither does the Linux Foundation, the SQLite Consortium, or other massive, mission-critical open source products.<p>This is the wrong funding model. It keeps money in OpenSSL developer&#x27;s pockets, but there is no financial incentive for any OpenSSL developer to work on foundational improvements to OpenSSL. He said himself: there is over $100,000 in open contracts for competent developers to work on non-foundational improvements to the project. If you are an enterprising developer with good C skills and a knack for crypto projects and you apply to work for the OpenSSL foundation, are you going to start servicing that $100,000 pool of contracts or are you going to pretend that money doesn&#x27;t exist and live on ramen?<p>If nearly all of OpenSSL&#x27;s revenue comes from clients that want OpenSSL to meet their particular needs, then none of that money is going to developers to strengthen OpenSSL&#x27;s foundation. This is why OpenSSL looks like a hodgepodge of hacks upon hacks in order to accomplish narrow goals with limited impact testing. It should be no surprise to anyone else: clients are literally paying OpenSSL developers for this, and nothing else.<p>Who is paying OpenSSL for developers to clean up the code base and remove ancient #IFDEFs? Who is paying OpenSSL for developers to analyze code paths and do case analysis? Who is paying OpenSSL for developers to write unit tests or even have a test harness at all?<p>No one will pay an hourly rate to accomplish these tasks. Google is not going to pay by the hour for a developer to stare at a function until they grok it; they want a feature. Joe Company will not pay for developers to write unit tests, they want OpenSSL to handle $QUIRK from a vendor&#x27;s system, or to know how to make their code handle it.<p>This model needs to go away. Competent OpenSSL developers time is too valuable to waste on client asks. Their project is too important, and as long as the money is flowing only for novel features and not structural improvement, then that money will dictate that only new features are developed.

Could someone involved with the OpenSSL Foundation and the OpenSSL project maybe pitch in with a quick description of how the project is managed?<p>* Who owns which subsystems?<p>* Is there a board of governors or a BDFL or something like that effectively overseeing the whole project?<p>* What is the process for screening commits from people new to the project?<p>This whole post seems to be tinged with a bit of defensiveness on behalf of the most active committers to the project. But it wasn&#x27;t the active committers who introduced this most recent bug.

The tor project is a great example of how open source software (OSS) projects can work with sponsors. Trying to find more information on Qualys and PSW Groups sponsorship of openssl is a nightmare compared to tor project sponsors.[^1][^2] Without the tor project&#x27;s emphasis on transparency and professionalism I doubt they could post numbers like this:<p><pre><code> Since meeting the revenue milestones of $1,253,241 in 2009, $1,574,119 in 2010 and $1,681,101 in 2011, Tor has reached new heights in 2012 with over $2 million in revenue (unaudited).[^3] </code></pre> My comment should not be read as a criticism of OpenSSL, it should be interpreted as cause for optimism. The tor project has demonstrated that OSS projects can get sponsored to solve complicated security problems that are difficult to explain to the general public.<p>[^1]: List of sponsors&#x2F;projects: <a href="https://trac.torproject.org/projects/tor/wiki/org/sponsors" rel="nofollow">https:&#x2F;&#x2F;trac.torproject.org&#x2F;projects&#x2F;tor&#x2F;wiki&#x2F;org&#x2F;sponsors</a><p>[^2]: Example monthly report for SponsorF&#x27;s project: <a href="https://lists.torproject.org/pipermail/tor-reports/2014-March/000484.html" rel="nofollow">https:&#x2F;&#x2F;lists.torproject.org&#x2F;pipermail&#x2F;tor-reports&#x2F;2014-Marc...</a><p>[^3]: Tor Project Annual Report 2012, pg 8, <a href="https://www.torproject.org/about/findoc/2012-TorProject-Annual-Report.pdf" rel="nofollow">https:&#x2F;&#x2F;www.torproject.org&#x2F;about&#x2F;findoc&#x2F;2012-TorProject-Annu...</a>

It&#x27;s well and fine that Stephen lives very cheaply, but all of this is an attempt to distract from the OpenSSL project&#x27;s very real issues by wearing a cilice then bitching about it.<p>The fundamental facts are these: openssl contains a large quantity of code that, if I where to check into my company&#x27;s repo, I would have at best a rough conversation with the cto and at worst I&#x27;d get fired. Plus a lack of good tests. These combine to create more than hypothetical problems; we&#x27;ve seen some severe security holes and there&#x27;s almost certainly more to come.<p>The question that should be discussed is if openssl is, ala sendmail, unsuitable for purpose and, if so, what should it be replaced with.

Google Cache version (site is 404ing for me)<p><a href="http://webcache.googleusercontent.com/search?q=cache:http://veridicalsystems.com/blog/of-money-responsibility-and-pride/&amp;strip=1" rel="nofollow">http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:http:&#x2F;&#x2F;...</a>

OpenBSD has had two holes in a heck of a long time. By contrast OpenSSL has had a remote execute in 2010, and another 4 in 2002, and is regularly patching DOS&#x27;s resulting from memory corruption that turns out not to be exploitable.<p>It is 453,000 or so lines, more than five times the size of xv6. It is ten times as big as PolarSSL. Documentation and internal structuring is wildly inconsistent. Features that make static analysis annoying are widely used. The API is far too low level.<p>Do you believe this is acceptable in a security library? Do believe that aspiring to the security of qmail or OpenSSH is a reasonable goal, even at the cost of features? Why should I use OpenSSL for TLS termination when formally validated alternatives exist?

Reading about Dr. Stephen Henson reminded me of the article written about Tarn Adams, the creator of Dwarf Fortress.<p><a href="http://www.nytimes.com/2011/07/24/magazine/the-brilliance-of-dwarf-fortress.html?pagewanted=all&amp;_r=0" rel="nofollow">http:&#x2F;&#x2F;www.nytimes.com&#x2F;2011&#x2F;07&#x2F;24&#x2F;magazine&#x2F;the-brilliance-of...</a>

Not hard. Just change the license and require commercial use to be paid