[Ubuntu-QC] After Heartbleed, OpenSSL Is Forked Into LibreSSL

Mer 23 Avr 02:43:34 UTC 2014

Je vous livre cela tout cru. Après OpenBSD, les distributions basées sur
Debian suivraient...

NEWS ANALYSIS: In open-source, when things go wrong, forks happen. The
forking of OpenSSL is a direct response to the Heartbleed vulnerability.
The OpenSSL project has come under intense scrutiny in recent weeks due to
the Heartbleed vulnerability.

While the OpenSSL Foundation has publicly asked for more
money<http://www.eweek.com/security/will-open-source-money-prevent-the-next-heartbleed.html>to
help fuel development, a new option to push OpenSSL forward is now
getting started.

In the open-source development model, when disputes happen and one group
wants to take a project in a different direction, forks happen and that's
what is now occurring with OpenSSL.

The open-source OpenBSD operating system community has now officially
forked the OpenSSL code and is building its own version of an open-source
cryptographic library called LibreSSL.

The forking of OpenSSL is a direct response to the Heartbleed
vulnerability, which was first publicly
disclosed<http://www.eweek.com/security/heartbeat-ssl-flaw-puts-linux-distros-at-risk.html>April
7. OpenSSL is an open-source cryptographic library used to provide
Secure Sockets Layer (SSL) services to Websites and embedded technologies.
The Heartbleed flaw could enable an attacker to read data from a server
that is vulnerable. It's an attack that has been used against the Canada
Revenue Agency<http://www.eweek.com/security/heartbleed-impacts-taxes-android.html>,
as well as a client<http://www.eweek.com/security/heartbleed-takes-aim-at-vpns-other-risks-persist.html>of
security vendor FireEye.

When the Heartbleed news first broke, I contacted OpenBSD founder Theo de
Raadt, who is always a great source for colorful commentary.
OpenBSD<http://www.openbsd.org/>is an open-source operating system
that makes use of OpenSSL and also leads
multiple important open-source efforts, including
OpenSSH<http://www.openssh.com/>.
I was curious about the disclosure
process<http://www.eweek.com/security/heartbleed-ssl-flaw-angst-aggravated-by-broken-disclosure-process.html/>around
the Heartbleed flaw, which left hundreds of millions of end users at
risk, though somehow a few services, including Google and CloudFlare, did
receive advance notice.

"We received no notice," De Raadt told me. "I came back from the pub after
meeting someone involved in the local Internet exchange, found out four
developers were already working on the errata, I approved their
diff<http://en.wikipedia.org/wiki/Diff>for not causing an ABI
[Application Binary Interface] breakage, signed the
patches, and it shipped."

Now, instead of just waiting for the OpenSSL project to get its act
together, OpenBSD is taking matters into its own hands by forking the
project and creating LibreSSL. It's still very early days in the LibreSSL
effort, and it is currently targeted for inclusion in OpenBSD 5.6, with
other operating systems to follow, which I suspect will include both Red
Hat and Debian-based flavors of Linux.

According to the LibreSSL project page <http://www.libressl.org/>, the
multi-operating system support will happen once there is a stable
commitment of funding in place by way of the Canadian not-for-profit OpenBSD
Foundation <http://www.openbsdfoundation.org/>. There already is
code<http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/>that
is being actively developed in LibreSSL, and it sure looks like a
massive cleanup of OpenSSL.

"We know you all want this tomorrow, we are working as fast as we can, but
our primary focus is good software that we trust to run ourselves," the
LibreSSL project page states. "We don't want to break your heart."

The LibreSSL project is a great example of why open source is a superior
way to develop software. When things don't work, open-source code can be
forked, and it can be taken in a different direction. Try that with
proprietary code.

http://www.eweek.com/security/after-heartbleed-openssl-is-forked-into-libressl.html
-------------- section suivante --------------
Une pièce jointe HTML a été nettoyée...
URL: <https://lists.ubuntu.com/archives/ubuntu-quebec/attachments/20140422/08db34cb/attachment.html>