back to article Thanks for nothing, OpenSSL, grumbles stonewalled De Raadt

OpenBSD founder Theo De Raadt said OpenSSL maintainers appeared to have intentionally not informed it about dangerous vulnerabilities found in the platform and patched today. The apparent feud stems from the April break away LibreSSL which was forked after developers found the OpenSSL code base to be unacceptably insecure in …

COMMENTS

This topic is closed for new posts.
  1. John Bailey

    So....

    Throwing a hissy fit and taking the ball home not found endearing..

    Shocked surprise.

    1. JCitizen
      Coat

      Re: So....

      Well then I'll just take my coat and go home(says he - HA!)

    2. Anonymous Coward
      Anonymous Coward

      Re: So....

      I naively thought that folk who were willing to be open about providing code, etc, to help others would also be cooperative to achieve the same goals. Then I got involved in one of the open source projects and found out just how difficult and assholeish that some otherwise very smart folk can be.

      Sigh, as a natural pessimist I should have expected that really.

      (AC for obvious reasons)

      1. Anonymous Coward
        Anonymous Coward

        Re: So....

        I naively thought that folk who were willing to be open about providing code, etc, to help others would also be cooperative to achieve the same goals. Then I got involved in one of the open source projects and found out just how difficult and assholeish that some otherwise very smart folk can be.

        People often talk about OSS being developed by people 'for free' - maybe the reward for their work is sometimes the boost to their egos - "look at me, I write clever software used by lots and lots of people!".

        1. Anonymous Coward
          Anonymous Coward

          Re: So....

          Aside from the money, there are plenty of other factors in deciding what job you will take. For OSS I am willing to bet there are a lot of reasons as well.

          In my case I needed that project's capabilities, but also needed it to work better. If I just forked it for my own personal use I would have to back-port any future fixes and features, so it makes rational sense for me to get my fixes and features added in and supported by the project. Ego was not part of it.

        2. This post has been deleted by its author

        3. Anonymous Coward
          Anonymous Coward

          Re: So....

          > People often talk about OSS being developed by people 'for free'

          Wrong kind of free, mate. We do it in the name of freedom¹ but we don't usually do it gratis.

          ¹ And convenience, now that software, and in particular operating systems, have become a commodity.

    3. Tom 38

      Re: So....

      What is ironic is that de Raadt does exactly the same thing with OpenSSH, which is his project. He has explicitly said that any security bugs in OpenSSH, he will not report it to the FreeBSD project, because someone once made him cry.

      Act like a kid, get treated like a kid.

      1. sabroni Silver badge

        Re: Act like a kid, get treated like a kid.

        Or alternatively, act like a kid and responsible adults still do their best to keep you safe.

        How can anyone take open source seriously when major bits of software are managed by pouty children? "He did it first" is not an excuse that works when it comes to software security.

        1. Paul Crawford Silver badge

          Re: sabroni

          "How can anyone take open source seriously when major bits of software are managed by pouty children?"

          Have you ever worked in a large company? The management layer can be every bit as bad, though for subtly different reasons.

          In any case there are plenty of examples of closed source products that only ever got reluctantly patched once a breach had occurred, and not when they were notified of it. Should we not take commercial software seriously as a result?

        2. Trevor_Pott Gold badge

          Re: Act like a kid, get treated like a kid.

          "How can anyone take open source seriously when major bits of software are managed by pouty children?"

          Because I've met many of the assholes in charge of some of the most important closed source software...and I trust the pouty children far more.

      2. Anonymous Coward
        Anonymous Coward

        Re: So....

        " He has explicitly said that any security bugs in OpenSSH, he will not report it to the FreeBSD project, because someone once made him cry."

        Interesting -- may we have a reference?

        1. Daniel B.
          Boffin

          Re: So....

          " He has explicitly said that any security bugs in OpenSSH, he will not report it to the FreeBSD project, because someone once made him cry."

          Interesting -- may we have a reference?

          You aren't familiar with Theo de Raadt, are you? The guy's basically a 5 year old in the body of an adult, throwing tantrums on everything. This is the guy that called Linux a hackjob just because it ended up being more popular than his renegade branch off BSD (itself a product of another of his tantrums). LibreSSL seems to be his most recent tantrum, though his concerns might be actually valid on OpenSSL (how the hell did they let something like Heartbleed sit around for 2 years?!). But notice that one of the things LibreSSL cut was FIPS 140-2 support, which is probably dumb. Oh well...

          1. Anonymous Coward
            Pint

            Re: So....

            More throwing tantrums like an infant (L’enfant terrible if I have't mangled it) going through the terrible twos on methamphetimines. Theo's been a fixture for a long, long time and BSD was always my favorite distro. However..., he gives me more than sufficient reason to drink and friends don't let friends drink and code (or do message groups**) !!

            With that, I need a drink. A toast to my shiny, shiny new server!

            [**There are more than a few tantrums out there from moi so I know of what I type.]

          2. MadMike

            "Linux is a hackjob"

            "...[Theo Radt] is the guy that called Linux a hackjob just because it ended up being more popular than his renegade branch off BSD..."

            Theo did not call Linux a hackjob because of that. He called it a hackjob because Linux has quite sloppy code. Even Linus Torvalds himself confirms this. See links below.

            http://www.tomshardware.com/news/Linux-Linus-Torvalds-kernel-too-complex-code,14495.html#comments

            "In an interview with German newspaper Zeit Online, Torvalds recently stated that Linux has become "too complex" and he was concerned that developers would not be able to find their way through the software anymore. He complained that even subsystems have become very complex and he told the publication that he is "afraid of the day" when there will be an error that "cannot be evaluated anymore."

            http://www.forbes.com/2005/06/16/linux-bsd-unix-cz_dl_0616theo.html

            “[Linux] is terrible,” De Raadt says. “Everyone is using it, and they don’t realize how bad it is. And the Linux people will just stick with it and add to it rather than stepping back and saying, ‘This is garbage and we should fix it.’”

            "Lok Technologies , a San Jose, Calif.-based maker of networking gear, started out using Linux in its equipment but switched to OpenBSD four years ago after company founder Simon Lok, who holds a doctorate in computer science, took a close look at the Linux source code.

            “You know what I found? Right in the kernel, in the heart of the operating system, I found a developer’s comment that said, ‘Does this belong here?’ “Lok says. “What kind of confidence does that inspire? Right then I knew it was time to switch [away from Linux].”

            http://www.theregister.co.uk/2009/09/22/linus_torvalds_linux_bloated_huge/

            "LinuxCon 2009 Linux creator Linus Torvalds says the open source kernel has become "bloated and huge," with no midriff-slimming diet plan in sight."

            There are many many similar links of how bad the Linux code can be sometimes, I can post 20ish links with ease.

            The problems are because Linux focuses on getting newest hottest functionality as fast as possible. That is the reason Linux has five sound APIs right now, all of them broken. Five sound APIs adds to the bloat that Linus Torvalds talks about in the link above. And the broken device driver model, lets not talk about that, there are always threads in every Linux forum on "i upgraded the kernel and now sound/etc/etc stopped work"...

            BSD has another philosophy, they add code more slowly with emphasize on stability and good design. OTOH, Linux has no design. Linus Torvalds himself said so "Linux does not have a design, and never will have. We rewrite it all the time, until we have evolved into something better. Just like nature has evolved humans. Trial and error is superior to any design, look at how mother nature does it". This leads Linux to have a very high code turnover, basically every part is rewritten all the time. Which means the code is never old and mature. It is always new and new code has always lot of bugs.

            Do you understand why Linux is a hackjob? It is not stable and well designed, as Linus Torvalds himself opposes stable and well thought design; trial and error is better, according to Linus (what a dumb thing to say!!). With emphasize on "error". That is the reason the prominent Andrew Morton Linux developer said this:

            http://lwn.net/Articles/285088/

            Q: Is it your opinion that the quality of the kernel is in decline? Most developers seem to be pretty sanguine about the overall quality problem.

            A: I used to think it was in decline, and I think that I might think that it still is. I see so many regressions which we never fix.

            http://www.kerneltrap.org/Linux/Active_Merge_Windows

            "The [linux source code] tree breaks every day, and it's becoming an extremely non-fun environment to work in. We need to slow down the merging, we need to review things more, we need people to test their f--king changes!"

            Bassbeast writes regarding the broken Linux device driver model (when Linus Torvalds changes the internal ABI, you need to hack/recompile all device drivers):

            "You have a MINIMUM of 150,000 drivers for Linux, yes? And we have several thousand NEW deices released weekly...how many Linux kernel devs are there again? 500? 1000? if you kept them working 24/7/365 on NOTHING but drivers the math still wouldn't work, all it would take is Torvalds changing a pointer (which considering I can wallpaper this page with "update foo broke my driver" posts appears to be Torvalds SOP) and it would take 3 to 4 YEARS just for them to give 5 minutes to each driver.

            So I'm sorry but you can bang your Linux bible all day long, what you are selling is about as believable as Adam riding a dinosaur. When every single OS on the planet OTHER than Linux has a stable device driver ABI are you REALLY gonna sit here and argue that Torvalds is smarter than every single OS designer on the entire planet? Really? if his driver model was good others would adopt it, they haven't and the reason why is obvious, its not good.

            I'll leave you with this, if one of the largest OEMs on the entire planet can't get Linux to work without running their own fork, what chance does the rest of us have? "

            http://www.theinquirer.net/inquirer/news/1530558/ubuntu-broken-dell-inspiron-mini

            1. Anonymous Coward
              Anonymous Coward

              Re: "Linux is a hackjob"

              MadMike, personally I am quite reassured when the main people involved in a project show a keen awareness of the complexity and limitations of said project. It also gives me more confidence on their decisions, knowing that they have been taken on the basis of a frank and honest look at the problem. Those decisions might still turn out to be wrong sometimes, but none is perfect and we try to learn from it.

              What I value about Linux at this level, is precisely the openness and willingness to criticise and be criticised. As a FOSS contributor, I can assure you it takes quite some balls to post your code out there, with your name on it, for it to be potentially ripped to bits by unknown others for decades to come.

              You may have the nicest LinkedIn profile in the world, but I'd rather work with or hire somebody whose most spectacular fuck-ups are just one Google search away. At least I know exactly what I'm getting, and I also know that thin skin probably does not come with the package.

              Conversely, when your code gets praise from a developer that you know and respect, that's quite an uplifting feeling too. :)

              So in short, yes, our code sometimes sucks, but we're big enough to admit it and do something about it, if something needs to be done. What about yours?

            2. Jamie Jones Silver badge

              Re: "Linux is a hackjob" @MadMike

              Great post, Mike.

              I just say you're brave - prepare to be downvoted by the large number of linux-cultists on El Reg who will downvote any critisism of GPL/GNU/Linux however accurate and well reasoned it is

        2. Tom 38

          Re: So....

          Interesting -- may we have a reference?

          Sure:

          openbsd.tech

          You are welcome. Stuart Henderson wrote the draft, but he forgot that part, and Damien Miller and I realized it was needed. We sensed there might be some ambiguity... we'll take care the next time an OpenOffice problem also.

          ... as long as you aren't using FreeBSD or a derivative (hint: Jupiper), you are fine. That's the only place I know of an OpenSSH hole.

          Oh now I sense some angst. Please ask Kirk McKusick, he knows the story about why this is not being disclosed to FreeBSD. Sometimes I feel a bit sorry for them (and for him), but then the next minute I don't feel sorry because there's damn good reasons they won't be told about what I found.

    4. Anonymous Coward
      Anonymous Coward

      Re: So....

      > Throwing a hissy fit

      Can you please point out where?

      I take it you have read the actual discussions from where the quotes are taken, and which the author of this article has helpfully linked to.

      You are aware that you are reading a red-top, and that things will sometimes (often) be taken out of context for sensationalist effect, right? Some of us find this occasionally entertaining and that's why ElReg has an audience, but a responsible reader would not go making judgements without being in possession of sufficient and reliable facts and information.

  2. Anonymous Coward
    Anonymous Coward

    What law/legal requirement

    requires open ssl devs to tell libressl devs anything? They chose to fork it.

    1. Destroy All Monsters Silver badge

      Re: What law/legal requirement

      It's the law of not coming across as arseholes.

      1. Anonymous Coward
        Anonymous Coward

        Re: What law/legal requirement

        forking a codebase brings with it the requirement (on the forker) to continue monitoring, at least for a period of time, the progress on the project you fork. Consequently if aforementioned BSD person had done this he would have seen these changes and be professional enough to enquire about details. Ho hum

        1. Anonymous Coward
          Anonymous Coward

          Re: What law/legal requirement

          if aforementioned BSD person had done this he would have seen these changes and be professional enough to enquire about details

          He (actually they) shouldn't have to. It's crap like this from people like the OpenSSL team that make me believe that the only responsible disclosure is immediate disclosure when you cannot rely on the maintainers (open or closed source) to not act like arseholes.

        2. Charlie Clark Silver badge

          Re: What law/legal requirement

          forking a codebase brings with it the requirement (on the forker) to continue monitoring…

          Do you think that code to fix known but not yet publicly disclosed bugs goes into the public repository with comments like "fixes something we're not allowed to talk about"?

        3. WatAWorld

          Re: What law/legal requirement

          But that is the thing, the aforementioned BSD person had tried to do this but was thwarted by secrecy.

    2. Anonymous Coward
      Anonymous Coward

      Re: What law/legal requirement

      As the article clearly points out, they have an ethical requirement to tell the OpenBSD project. This appears to be what happened to other major projects that rely on OpenSSL, as evidenced by the release of updates from other projects or platforms similar to OpenBSD that were simultaneous with the security announcement.

      As for those people questioning the need to fork OpenSSL, I suggest they take a look at the commit logs for LibreSSL and various blog postings from the likes of TedU (most of which predate the decision to fork). These clearly show that the quality of the OpenSSL code is shocking with no apparent code reviews for third party submissions leading to a maintenance nightmare - code duplication, no consistency in error handling, dead code all over the place, bogus comments, etc. There is also the unwillingness of the OpenSSL developers to incorporate any but the most critical bug fixes from third parties, leading to a slew of fixes being left ignored in the OpenSSL bug tracker for years. Sure, they'll blindly accept third party submissions of entire subsystems or implementations of specific features - with no attempt to cleanly integrate them into the existing codebase - but once they're in the developers seem to be completely disinterested or incapable of applying third party improvements or fixes.

      1. RISC OS

        Re: What law/legal requirement

        But shouldn't it be the job of those who decide to fork something? Checking on development on what they forked and not the otherway round? That would seem to be make more sense

        If I have a project on a public site like github... and 500 people make forks of it, and some people make forks of those forks, should it be upto me to tell everyone who forked it that there is a serious bug? Surely they should all be monitoring my project and see for themselves.

        1. Eddy Ito

          Re: What law/legal requirement

          OpenBSD 5.5, which was released only about a month ago, still relies on OpenSSL as did previous versions. It does seem a bit odd for the OpenSSL team to tell other distributions about the bug so they would have patches ready and not OpenBSD.

      2. the spectacularly refined chap

        Re: What law/legal requirement

        As the article clearly points out, they have an ethical requirement to tell the OpenBSD project.

        De Raadt basically said "You guys can't be trusted with it, we are going to take care of it from now on." He accepted the responsibility, he has no-one else to blame when his inaction means that there is a problem with his code.

        Maybe the OpenSSL devs are stonewalling them, maybe not. To be honest I neither know nor care, but if you simultaneously insult a group of people and take credit for their work that means taking responsibility for the problems too.

    3. Anonymous Coward
      Anonymous Coward

      Re: What law/legal requirement @AC

      OpenSSl devs to LibreSSl devs, Fork Off !

  3. 02X7Cm

    This raises an interesting problem.

    About what to do about bugs that are so severe that it is kept off public bug trackers but can affect other forks/variants/systems?

    Here I guess the beef is they informed others but not the new fork.

    Well, honestly, you're not required to inform others, but, it is an opensource project, and the whole system works on a system of honor, so it's kinda irresponsible to not disclose it to dependent forks.

    But then again, if a project were to just disclose all such severe bugs to all who "wants" it, I'd question it's security. For all we know, the fork's developer could be working for the NSA/KGB/GCHQ :), I'm sure they could put to use such window of opportunity. IMO LibreSSL isn't used or important enough to need to know such details at this moment in time.

    1. Destroy All Monsters Silver badge
      Alien

      Re: This raises an interesting problem.

      For all we know, the fork's developer could be working for the NSA/KGB/GCHQ

      Not informing people because they might work for a TLA about an exploit that said TLA quite likely knew about years ago?

      Hollywood logic.

      1. Anonymous Coward
        Anonymous Coward

        Re: This raises an interesting problem.

        > Not informing people because they might work for a TLA

        Or because you might work under an NDA. :(

        > Hollywood logic.

        Business logic. Not necessarily good logic.

  4. Anonymous Coward
    Anonymous Coward

    Soo...

    They (the developers of LibreSSL) basically said that they'd make a secure version but were incapable of finding the undisclosed bugs in the existing code. I guess they didn't sit down and really dig through the code they'd forked even though they must have known it was flawed. Doesn't sound too promising for the future of their code.

    1. Destroy All Monsters Silver badge
      Headmaster

      Re: Soo...

      <they must have known it was flawed

      How does one do that? Though making sure these flaws can be discovered at all is the whole point of the effort.

      Doesn't sound too promising for the future of their code.

      The OTHER conclusion is that there may well be additional bugs of the same class still hanging around in OpenSSL as these bugs do not exactly declare themselves even when one is cleaning up the existing codebase.

    2. foo_bar_baz

      "incapable of finding the undisclosed bugs"

      Auditing someone else's codebase might not be such a quick and easy task, perhaps?

    3. Dan 55 Silver badge

      Re: Soo...

      They always said that their plan was to get rid of the crap and only then could they start on the proper bugs, when they can actually read the code. They've been doing that for a month and a half but OpenSSL is the gift that keeps on giving.

      I suppose someone's pride at OpenSSL was wounded when their code was (very rightly) criticised. They also don't seem to be backporting LibreSSL's fixes which is also irresponsible.

      They day that the OpenSSL library can be removed and replaced with a softlink to the LibreSSL library is the day the security of the internet will go up 100%.

      1. WatAWorld

        45 days is not much time to audit the code of anything meaningful

        A month and a half, 45 days, is not much time to audit the code of anything meaningful, let alone think about designing fixes, coding the fixes, doing system testing, and doing regression testing.

  5. Destroy All Monsters Silver badge
    Headmaster

    I see. I see.

    His statements were met with some criticism centered on the original decision to fork OpenSSL rather than working with developers to improve its security.

    Name and shame, please!

    People who recommend turd polishing should not be allowed to operate in the vicinity of high-assurance code.

  6. Anonymous Coward
    Anonymous Coward

    Take a look at the changes LibreSSL made

    Take a look at www.opensslrampage.org to see some of the crap that the OpenBSD team has been finding and fixing in OpenSSL. Actually go there and read things (skip to the earliest comments for some of the more horrifying finds).

    1. m4r35n357 Bronze badge

      Re: Take a look at the changes LibreSSL made

      Yep. OpenSSL devs dropped the ball badly and didn't care. Now they are trying to sabotage the ones who do care. Die OpenSSL!

  7. WatAWorld

    Five-eyed vampire squid must be unhappy

    Five-eyed vampire squid must be unhappy.

    The possible impending need to subvert updates to OpenSSL and LibreSSL.

    And at time when there might actually be a few of those so-called "many eyes" looking at this open source code.

  8. Alan J. Wylie

    Theo's previous response when asked if he'd like to be on a mailing list

    http://www.openwall.com/lists/oss-security/2014/05/02/7

    <cite>

    Date: Fri, 02 May 2014 14:33:12 -0600

    From: Theo de Raadt <deraadt@....openbsd.org>

    > Also cc'ing Theo so OpenBSD gets

    > notified for sure. Speaking of which Theo: should we get you or an

    > OpenBSD deputy (Bob Beck?) onto distros@?

    ...

    We don't get paid. And therefore, I don't know where I should find

    the time to be on another mailing list. It is not like I would have

    sent a mail to anyone. In general our processes are simply commit &

    publish. So I'll decline.

    </cite>

    1. Dan 55 Silver badge

      Re: Theo's previous response when asked if he'd like to be on a mailing list

      Does he need to be on a Red Hat's mailing list for OpenSSL to notify him about a vulnerability?

    2. Mr Spuratic
      Mushroom

      Re: Theo's previous response when asked if he'd like to be on a mailing list

      https://plus.google.com/+MarkJCox/posts/L8i6PSsKJKs

      OpenSSL's timeline, that list was notified on 2014-06-02.

      OpenSSLs "official reason" for this is there too, it's because

      they're not on os-distros, see MarkJCox's post @08:53.

      (and there's a fine flame war in the comments there too)

      Meantime, Theo cranks it up a gear [NSFW] in openbsd-misc@

      http://marc.info/?l=openbsd-misc&m=140202938032160&w=2

  9. bigtimehustler

    Could this actually be down to the fact that no release versions of OpenBSD actually use the LibreSSL library yet? I mean, they say themselves it is scheduled to be included in a future release, so it isn't production code yet. They told all the players who have that code on production equipment as it will have a real affect on them, how will a couple of days delay make any different to a library not in production use?

    1. Decade
      Facepalm

      Because, while they still use the OpenSSL library, they need the early disclosure to prepare packages for their own users.

      Also, being developed in the open, LibreSSL is doubtless already being installed in production systems somewhere.

      1. wbaw

        They don't have users, you'd need to be insane to consider using libressl on a production server right now, they've only just started (re)writing it.

  10. Pete Spicer

    As much as TdR is abrasive in style, he does actually care about security, and having been involved in forking software and having to deal with patches, I fully sympathise with his point of view.

    In fact, I just donated to OpenBSD because the OpenBSD project actually cares about code quality - and that means users benefit too. That's really important.

  11. ascasc

    As usual the press is wrong and there's a lot more to this story

    Except I invited Theo to join distros@ publicly:

    http://seclists.org/oss-sec/2014/q2/232

    and he turned it down:

    http://seclists.org/oss-sec/2014/q2/233

    I then privately emailed beck@ and invited him to join on June 1st, and he also turned it down.

    So not for lack of trying.

    And then Theo sent a large number of abusive emails privately and publicly:

    http://marc.info/?l=openbsd-tech&m=140202939732165&w=2

    And he has now decided he wants to join the list.

    So .. the only story here is that he chose not to participate, and then when he wasn't told he threw a tantrum. Classic Theo. And like most press you took the easy story and did no research. Shame on you.

    I'm so very tired of this.

    1. Anonymous Coward
      Anonymous Coward

      Re: As usual the press is wrong and there's a lot more to this story

      Lol @

      I HAD TO CHANGE MY PASSWORD AT ALL OF MY ONLINE BANKING ACCOUNTS!

      THEY KNOW THAT OPENSSL IS SHIT! HOW LONG DO YOU THINK THEY WILL

      CONTINUE TO USE SHITE FROM OPENSSL?

      THEY ARE NOT STUPID!

      Goes a long way to explain why Microsoft IIS is about to overtake Apache for market share for the first time ever. There have consistently been far fewer security vulnerabilities in the Microsoft stack for a long time now...

    2. Anonymous Coward
      Anonymous Coward

      Re: As usual the press is wrong and there's a lot more to this story

      > And like most press you took the easy story and did no research.

      I feel your pain. :(

  12. Javapapa

    Open source vs closed source

    With Five Eyes, all bugs are exploited.

  13. This post has been deleted by its author

This topic is closed for new posts.

Other stories you might like