Referenced on The OpenBSD Foundation site.
tedu’s recap of the origins of libressl
Rude website. But I guess that is the gimmick of OpenBSD.
Yes, we’re all about gimmicks.
They won’t mind that you will never use LibreSSL.
TIL blink no longer works in firefox.
Funny thing is, the site looks perfectly normal on Firefox/Android. Apparently KitKat is missing Comic Sans (boo hoo).
They apparently “fixed” it by handcoding the blink tag using CSS animations
I’m saddened by the hostility on display in these comments. I had hoped that lobste.rs wouldn’t fall victim to that particular disease of the internet.
So… why Comic Sans? Is security supposed to be funny? I would have hoped that OpenBSD wouldn’t be so flippant about a clearly serious issue with a major component of modern computer security.
I donated to OpenSSL, but I definitely won’t be donating to these folks. Maybe when they decide to not be so sophomoric about this, I will change my mind.
So for years, months, weeks, people have been saying “Somebody needs to clean up OpenSSL. Somebody else, of course, but definitely not me.”
Now somebody is cleaning it up and all anyone wants to talk about is “ZOMG they use CVS”. And the web site font.
Consider the current design of the web site to be a kind of litmus test. Is the font used the most important criteria when you go to pick an SSL implementation? If you could pose one question to each SSL implementation, would “Why Comic Sans?” be that question?
It wasn’t the font in and of itself, but rather the overall attitude of the people developing this project (you can also view commit logs that take digs at former developer’s work). Maybe I am in the wrong, and it shouldn’t matter, but I tend to not respond well to the attitude that is taking place with this project. There’s a lot of smack talk taking place, and it’s probably unnecessary.
Maybe it’s different in the open source world, but I wouldn’t want that kind of ethos on my dev team.
So at the risk of being berated, I’m going to stand behind the decisions made by “the developers” who took on the task, and gave of their time to fix openssl. First, the folks who wrote openssl, however cordial and fluffy and pleasant they were on mailing lists and irc, did an absolutely abysmal job of writing software. This wasn’t just some piece of junk, inconsequential, resume booster on github. This was a library that was being used and trusted by enough people on the internet that the consequences from vulnerabilities and holes are likely to affect a solid, measurable portion of services on the internet. Most consumers have no idea how bad this software is… that is until a hole so big, so potentially devastating that upwards of 40% of internet sites needed to invest time emergency patching things.
The people who wrote openssl do not deserve to be complimented, well respected, or given the benefit of the doubt. Trust me when I say that the people who have taken time to dig into the former openssl code tested out the severity of things before they published information (Ted’s blog for instance). They understand what a mess it is because they’re in the trenches reading the code. Being “sophomoric” about things has been earned. It’s been earned by the people who have given their time, spent hours, days, weeks, reading code and fixing it, regression testing, sending out diffs, and making sure thousands of ports and packages still work. It’s been earned by the people who originally released this pathetic excuse for a cryptography library. Commit messages are harsh and we cry about it? Have you been on the internet lately? Have you read hacker news? If you’d honestly spent time in the code, if you honestly understood how terrible the current state of openssl truly is/was you wouldn’t be berating the people who are trying to improve software that much of the internet relies on.
We only care about CVS v. something else because we have to rely on a Tumblr to get hilarious commit messages, and, as you know from working with me in ye distant past, I for one most definitely pick my projects based on commit message hilarity.
See, that’s why you need to be subscribed to source-changes or you miss out on a lot of the other good stuff. I’ve managed to get about half the dialog from Conan the barbarian into commits deleting files unrelated to OpenSSL.
I am imagining this:
Lead Developer: What is best in life?
Developer: The open source, fleet fingers, keyboard at your wrist, and the CVS in your hair.
Lead Developer: Wrong! Conan! What is best in life?
Developer Conan: To crush bad code, see bugs driven before you, and to hear the lamentation of HackerNews.
I’m not sure why people confuse “humorless” with “taking things seriously”.
“This software was written by programmers that wear suits and don’t smile. We might not write good code, but we take things oh so very seriously.”