Agreed. This is a bit scary. I feel the resources would be better off focusing on merging with the official OpenSSL project rather than forking and _then_ asking for funding, essentially taking any potential funding from the official OpenSSL project.
I get your point, but let's face it, the OpenBSD developers have done more to fix OpenSSL in the last two weeks that the OpenSSL developers done the last two years.
Some of the bug fixes have been pull from OpenSSLs bugtracker, they've just sat there for one or two years. This should make you think about what motivates the OpenSSL developers, my guess would be new crypto algorithms and the math, rather than maintaining a modern and secure crypto library.
Honestly the better solution might be to have the OpenSSL developers commit new code to the OpenBSD fork. For my understanding no one doubts that the OpenSSL developer understand the math and crypto in SSL and TLS, but they aren't the sharpest C programmers. There's no point in ostracising the OpenSSL developers, but maybe they should just focus on the parts that they do really well and let others, like the OpenBSD developer, productize their work.
Count the number of vulnerabilities in OpenSSL over the last few years, relative to the size of its code base. A single vulnerability, albeit bad this year, results in a fork and the attitude of "it had its chance."
LibreSSL inherits all of the undiscovered vulnerabilities in its huge code base. I hope your harsh criticism carries over to its code base once these flaws are discovered here too. That's the beauty of open source.
The problem is that a security software brick is not satisfactory when it works, but when you can be sure there are no problems.
Given the very low quality of the code and the high amount of bloat, few people actually trust it. They have to trust third-parties and external certifications and the word on the street, and this is not enough for that kind of dependency.
Quite frankly unless LibreSSL manages to raise more than 2000$ a year (what the OpenSSL fundation makes, apparently) I fail to see how they hope to avoid encountering the same kind of problems OpenSSL did (and still does). And given that the OpenBSD projects had to beg for donations to reach a 150k$ goal, if memory serves, I doubt they'll be able to sink a tremendous amount of money into LibreSSL.
If you can't pay people to work on the project full time, properly test and audit the code, sooner or later something will go wrong. And then we'll see people over here commenting along the lines of "my god those people are incompetent/irresponsible, they hope to get a free pass because it's free and open source, etc..."
Also, until I see a first release of the lib it's just marketing as far as I'm concerned, after all the OpenBSD foundation announced OpenCVS in 2004...
Well sure, OpenSSH is probably one of the most useful and versatile tools out there, there's no denying that it's a huge achievement.
That being said it's a program with mostly well defined use cases while OpenSSL is a library used in thousands of programs (including OpenSSH) on a variety of hardware and operating systems. The OpenBSD project naturally mostly cares about OpenBSD first and the rest second, which might be a bad thing if we end up with a multitude of forks each supporting a particular OS/architecture, increasing the chances of messing things up. After all, the latest big OpenSSH vulnerability was due to debian-specific patches...
Also, for what it's worth, sloccount tells me the latest snapshot of OpenSSH has about 90 thousand lines of code while OpenSSL has more than 360 thousand. It's a huge, huge library, forking and maintaining it is a tremendous undertaking, even compared to OpenSSH.
