Hacker News new | past | comments | ask | show | jobs | submit login

> the fact remains that OpenSSL is very widely used on Windows and yanking it out without providing a drop-in replacement option is a bad idea

The LibreSSL guys are not yanking anything out of Windows, they're just providing an alternative to OpenSSL, for all the world to use, for free.

They're not under any obligation to support Windows, no matter how bad you want them to.




I don't expect them to support Windows, you misunderstand the whole concern.

The concern is that OpenBSD fellas are fragmenting the project and they are also asserting that OpenSSL team was doing things wrong for a long time. This is not a start of a beautiful friendship. Throw in a bit of crowd lynching (to the tune of "OpenBSD is showing OpenSSL how to do security right") and we can end up with OpenSSL devs showing a finger and throwing in a towel. At best, we'll have to related SSL implementations, devs of which don't really talk to each other. That's the issue.


People have been saying that OpenSSL has been of poor quality [1], that the documentation is bad [2], and the developers don't really listen [3] for years. Heartbleed was just the straw that broke the camel's back. OpenSSL really was one of those pieces of software that was Just Good Enough that people tolerated it, but at the same time, filled them with a desire to punch kittens whenever they had to code with it.

[1] https://www.peereboom.us/assl/assl/html/openssl.html [2] http://www.ibm.com/developerworks/opensource/library/l-opens... [3] http://lists.randombit.net/pipermail/cryptography/2012-Octob...


The devs can probably at least be mature enough to use each others code where it is compatible. More to the point, there's really only a couple of full time OpenSSL devs, and the others are more contributors, for whom I'd imagine switching to a better laid out, less buggy, less spaghetti-codey, more practical implementation would be an advantage.


> The concern is that OpenBSD fellas are fragmenting the project and they are also asserting that OpenSSL team was doing things wrong for a long time.

Fragmenting? Aren't they making a separate, alternative implementation?

Either way, the whole open source field is chock-full of "fragmentation", with countless precious little snowflakes rushing to fork and re-implement anything and everything under the sun to get it just the way they want it. I doubt whatever fragmentation might happen with OpenSSL is a cause for concern, especially when the OpenSSL codebase is objectively bad.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: