[Ubuntu-QC] After Heartbleed, OpenSSL Is Forked Into LibreSSL

Frédéric Côté frederick.cote at gmail.com
Mer 23 Avr 02:50:15 UTC 2014 

Je ne suis pas certains que d'autre "folkeront" OpenSSL. OpenBSD va
assurément le faire très bien donc ceux qui ne voudront plus OpenSSL
changeront pour LibreSSL (ou GnuTLS).

Pour rappel, OpenBSD avait cette idée depuis longtemps. Heartbleed n'a été
que la goutte d'eau.

Voici l'histoire du "Mastermind" derrière LibreSSL:
http://www.tedunangst.com/flak/post/origins-of-libressl

Voici plus d'informations sur les problèmes de OpenSSL:
http://opensslrampage.org/



On Tue, Apr 22, 2014 at 10:43 PM, Gilbert Dion <gilbertdion at gmail.com>wrote:

>> ​Je vous livre cela tout cru. Après OpenBSD, les distributions basées sur
> Debian suivraient...
>
> NEWS ANALYSIS: In open-source, when things go wrong, forks happen. The
> forking of OpenSSL is a direct response to the Heartbleed vulnerability.
> The OpenSSL project has come under intense scrutiny in recent weeks due to
> the Heartbleed vulnerability.
>
> While the OpenSSL Foundation has publicly asked for more money<http://www.eweek.com/security/will-open-source-money-prevent-the-next-heartbleed.html>to help fuel development, a new option to push OpenSSL forward is now
> getting started.
>
> In the open-source development model, when disputes happen and one group
> wants to take a project in a different direction, forks happen and that's
> what is now occurring with OpenSSL.
>
> The open-source OpenBSD operating system community has now officially
> forked the OpenSSL code and is building its own version of an open-source
> cryptographic library called LibreSSL.
>
> The forking of OpenSSL is a direct response to the Heartbleed
> vulnerability, which was first publicly disclosed<http://www.eweek.com/security/heartbeat-ssl-flaw-puts-linux-distros-at-risk.html>April 7. OpenSSL is an open-source cryptographic library used to provide
> Secure Sockets Layer (SSL) services to Websites and embedded technologies.
> The Heartbleed flaw could enable an attacker to read data from a server
> that is vulnerable. It's an attack that has been used against the Canada
> Revenue Agency<http://www.eweek.com/security/heartbleed-impacts-taxes-android.html>,
> as well as a client<http://www.eweek.com/security/heartbleed-takes-aim-at-vpns-other-risks-persist.html>of security vendor FireEye.
>
> When the Heartbleed news first broke, I contacted OpenBSD founder Theo de
> Raadt, who is always a great source for colorful commentary. OpenBSD<http://www.openbsd.org/>is an open-source operating system that makes use of OpenSSL and also leads
> multiple important open-source efforts, including OpenSSH<http://www.openssh.com/>.
> I was curious about the disclosure process<http://www.eweek.com/security/heartbleed-ssl-flaw-angst-aggravated-by-broken-disclosure-process.html/>around the Heartbleed flaw, which left hundreds of millions of end users at
> risk, though somehow a few services, including Google and CloudFlare, did
> receive advance notice.
>
> "We received no notice," De Raadt told me. "I came back from the pub after
> meeting someone involved in the local Internet exchange, found out four
> developers were already working on the errata, I approved their diff<http://en.wikipedia.org/wiki/Diff>for not causing an ABI [Application Binary Interface] breakage, signed the
> patches, and it shipped."
>
> Now, instead of just waiting for the OpenSSL project to get its act
> together, OpenBSD is taking matters into its own hands by forking the
> project and creating LibreSSL. It's still very early days in the LibreSSL
> effort, and it is currently targeted for inclusion in OpenBSD 5.6, with
> other operating systems to follow, which I suspect will include both Red
> Hat and Debian-based flavors of Linux.
>
> According to the LibreSSL project page <http://www.libressl.org/>, the
> multi-operating system support will happen once there is a stable
> commitment of funding in place by way of the Canadian not-for-profit OpenBSD
> Foundation <http://www.openbsdfoundation.org/>. There already is code<http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/>that is being actively developed in LibreSSL, and it sure looks like a
> massive cleanup of OpenSSL.
>
> "We know you all want this tomorrow, we are working as fast as we can, but
> our primary focus is good software that we trust to run ourselves," the
> LibreSSL project page states. "We don't want to break your heart."
>
> The LibreSSL project is a great example of why open source is a superior
> way to develop software. When things don't work, open-source code can be
> forked, and it can be taken in a different direction. Try that with
> proprietary code.
>>
>
> http://www.eweek.com/security/after-heartbleed-openssl-is-forked-into-libressl.html
>
>
>
> --
> Ubuntu-quebec mailing list
> Ubuntu-quebec at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/ubuntu-quebec
>
>


-- 
"In a world without walls, who really needs Windows"
"Nothing is foolproof because fools are so ingenious"
-------------- section suivante --------------
Une pièce jointe HTML a été nettoyée...
URL: <https://lists.ubuntu.com/archives/ubuntu-quebec/attachments/20140422/48208e5a/attachment.html>

More information about the Ubuntu-quebec mailing list