OpenSSL promises devs advance notice of future bugs, slaps if they blab In the wake of Heartbleed, the OpenSSL project has decided that *nix distributions that use the popular crypto pack will get advance notice of upcoming security-related bugfixes. The project has decided that distributions that ship with OpenSSL will get some advance notice of issues ahead of fixes – an announcement on the …
I suspect most of the main Linux distros will apply any simple fixes - small patches that don't require e.g. any new APIs - within a 24-48 hour time span. Ditto the principal BSD forks - Free, Net, and Open. On the other hand I can see minority or niche Linux distros and the minor BSD sub-forks taking weeks or months to get around to pushing out a fix. I suspect it will be quite similar for many commercial platforms who will simply roll it into the monthly patches.
Co-ordinated roll out has its merits but not at any cost. Even if a fix is applied to the software I am using before the end of the embargo I'd be reluctant to apply it without at least some indication of what it addresses. It's difficult to evaluate its necessity or desirability without at least some background.
Telling the community when they find bugs is all very well, but that doesn't really address the underlying problems, which are that the OpenSSL code has gotten very crufty over the years, and there aren't enough people capable of working on the codebase to identify the bugs (something which is indirectly related to the first point).
I predict LibreSSL will become the defacto standard on UNIX-like systems because the people writing it really know their security, and their code style is very clean -- which means it's easier for outsiders to review the code and identify bugs.
Have you ever looked at any of the OpenBSD originated stuff? A lot of it is really quite crufty and relies relying on implementation-defined details being defined a particular way: we have already seen a few utterly avoidable LibreSSL bugs as a result in the brief time the project has been running, bugs addressed by the very OpenSSL code that was stripped out and condemned. Sure the project is still in its early stages but deliberately removing fixes for specific issues without checking why they are there is hardly sound engineering.
They've only really got two things going for them: the first is that they religiously stick to KNF, consistency is always nice but is where the whitespace goes really that important? The second is Theo de Raadt's ego, which is often wide of the mark but unfortunately there are enough mugs out there to swallow his pontificating as if it was some incontrovertible truth.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
