Improving structure and governance

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Improving structure and governance

Salz, Rich

While we’re still waiting to hear from the core team about changes, I might as well add to the noise and throw this out there.

 

Perhaps openssl should become an Apache project? Keep the foundation for financial reasons, but use their infrastructure and such.  Or perhaps consider adopting a large portion of their “rules.”

 

                /r$

 

-- 

Principal Security Engineer

Akamai Technologies, Cambridge, MA

IM: [hidden email]; Twitter: RichSalz

 

Reply | Threaded
Open this post in threaded view
|

Re: Improving structure and governance

Michael Sierchio
I've been thinking that the OpenSSL Foundation really needs to do better than simply being open to individual funders.  A lot of companies use the libraries, and asking for some proper do-re-mi is completely kosher.

More on this later, I'm in Florida this weekend (feel sorry for me).

- M


On Fri, Apr 25, 2014 at 6:36 AM, Salz, Rich <[hidden email]> wrote:

While we’re still waiting to hear from the core team about changes, I might as well add to the noise and throw this out there.

 

Perhaps openssl should become an Apache project? Keep the foundation for financial reasons, but use their infrastructure and such.  Or perhaps consider adopting a large portion of their “rules.”

 

                /r$

 

-- 

Principal Security Engineer

Akamai Technologies, Cambridge, MA

IM: [hidden email]; Twitter: RichSalz

 


Reply | Threaded
Open this post in threaded view
|

Re: Improving structure and governance

Jakob Bohm-7
In reply to this post by Salz, Rich
On 4/25/2014 3:36 PM, Salz, Rich wrote:
> While we’re still waiting to hear from the core team about changes, I
> might as well add to the noise and throw this out there.
>
> Perhaps openssl should become an Apache project? Keep the foundation for
> financial reasons, but use their infrastructure and such.  Or perhaps
> consider adopting a large portion of their “rules.”
>

As a US based organization, Apache is unsuited and (given fairly recent
public news) untrusted to have any power of a project such as OpenSSL.

Additionally, the Apache foundation has accumulated so many important
projects over the last few years that it they are becoming a single
point of failure for too many things (or "too big to fail" as it is
called in some other sectors).

Thus I think a different organization would be needed if OpenSSL were
to give up its independence.




Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Awi
Reply | Threaded
Open this post in threaded view
|

Re: Improving structure and governance

Awi
>
> As a US based organization, Apache is unsuited and (given fairly recent
> public news) untrusted to have any power of a project such as OpenSSL.
>
> Additionally, the Apache foundation has accumulated so many important
> projects over the last few years that it they are becoming a single
> point of failure for too many things (or "too big to fail" as it is
> called in some other sectors).
>
> Thus I think a different organization would be needed if OpenSSL were
> to give up its independence.
>
>

There is a similar thread on the openssl-dev mailing list and it was
mentioned there about this project:
http://www.theverge.com/2014/4/24/5646178/google-microsoft-and-facebook-launch-project-to-stop-the

So it's likely that in one way or another OpenSSL will be influenced by
US based organization(s).

Regards,
AW
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Improving structure and governance

Artur Wieczorek
In reply to this post by Jakob Bohm-7
>
> As a US based organization, Apache is unsuited and (given fairly recent
> public news) untrusted to have any power of a project such as OpenSSL.
>
> Additionally, the Apache foundation has accumulated so many important
> projects over the last few years that it they are becoming a single
> point of failure for too many things (or "too big to fail" as it is
> called in some other sectors).
>
> Thus I think a different organization would be needed if OpenSSL were
> to give up its independence.
>

There is a similar thread on the openssl-dev mailing list and it was
mentioned there about this project:
http://www.theverge.com/2014/4/24/5646178/google-microsoft-and-facebook-launch-project-to-stop-the

So it's likely that in one way or another OpenSSL will be influenced by
US based organization(s).

Regards,
AW

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Improving structure and governance

Jakob Bohm-7
In reply to this post by Awi
On 4/25/2014 9:33 PM, Awi wrote:

>>
>> As a US based organization, Apache is unsuited and (given fairly recent
>> public news) untrusted to have any power of a project such as OpenSSL.
>>
>> Additionally, the Apache foundation has accumulated so many important
>> projects over the last few years that it they are becoming a single
>> point of failure for too many things (or "too big to fail" as it is
>> called in some other sectors).
>>
>> Thus I think a different organization would be needed if OpenSSL were
>> to give up its independence.
>>
>>
>
> There is a similar thread on the openssl-dev mailing list and it was
> mentioned there about this project:
> http://www.theverge.com/2014/4/24/5646178/google-microsoft-and-facebook-launch-project-to-stop-the
>
>
> So it's likely that in one way or another OpenSSL will be influenced by
> US based organization(s).
>

The involvement of Microsoft, makes this initiative highly suspect, and
I wish the Linux Foundation had told them to get lost.  Ever since its
foundation, Microsoft has used every underhanded trick in the book to
sabotage open source projects (just remember Bill Gates open letter
on the subject decades ago).

As long as Microsoft, Oracle etc. (or any of their friends) have any
direct or indirect influence over this fund, it should be shunned like
poison, even by projects not concerned with specific issues of US
influence.

I guess someone at the Linux Foundation got caught up in the heartbleed
panic and fell for the "We must do something, this is something, so we
must do this" fallacy.

Note that I am not an FSF fanatic, I truly believe in the cooperation
of open and closed source projects, and make my living from closed
source.  But I am sufficiently experienced to see the damage certain
other closed source companies can and will do to open source projects
relied upon by other companies.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Improving structure and governance

Lee Fisher
 > The involvement of Microsoft, makes this initiative highly suspect, and
 > I wish the Linux Foundation had told them to get lost.  Ever since its
 > foundation, Microsoft has used every underhanded trick in the book to
 > sabotage open source projects (just remember Bill Gates open letter
 > on the subject decades ago).

Recall that OpenSSL is used to implement the "Secure Boot" feature in
UEFI firmware. Any modern system that has a Windows8 logo on it has
OpenSSL in their firmware, unless firmware vendor or OEM replaced
OpenSSL with another crypto lib. So MSFT does have a dependence of
OpenSSL working, else Windows can no longer Securely Boot. :-)

And Microsoft and Linux Foundation work together with getting the Linux
EFI Shim signed so Linux can boot on these WindowsPCs. :-( Granted,
commercial SUSE/RHAT/Ubuntu servers can get Secure Boot to work w/o MSFT
certs, but those are expensive enterprise boxes, no consumer devices
like this. :-(

The TianoCore.org project maintains a patch of OpenSSL (0.9x, not 1.x).
https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt

BTW, it's a shame that OpenSSL doesn't integrate that patch, and have
some UEFI-targetting compiler directive to integrate it.

There's also an old bug/feature in OpenSSL, related to UEFI use of
intermediate CAs, which UEFI is waiting for OpenSSL to deal with. It is
a shame that this has been unresolved for years.

http://sourceforge.net/p/edk2/mailman/message/29329799/
http://marc.info/?l=openssl-users&m=128943213002702

OpenSSL's use in nearly all modern systems' firmware seems like a
mainstream enough usage that they should take the EFI patch, and maybe
help with the intermediate CA feature/bug.

I hope new structure/governance in post-Heartbleed era will also take
into account OpenSSL's widespread use in modern firmware, not just OS
and app usage.

Thanks,
Lee
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Improving structure and governance

Tim Hudson
On 30/04/2014 4:23 AM, Blibbet wrote:
> The TianoCore.org project maintains a patch of OpenSSL (0.9x, not 1.x).
> https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/OpensslLib/Patch-HOWTO.txt
>
>
> BTW, it's a shame that OpenSSL doesn't integrate that patch, and have
> some UEFI-targetting compiler directive to integrate it.

https://github.com/tianocore/edk2/blob/master/CryptoPkg/Library/OpensslLib/EDKII_openssl-0.9.8w.patch

If you read through the patch you'll quickly see why in its present form
it is unsuitable for integration.

e.g. globally changing SMIME across from sha1 to sha256 isn't something
a user would expect to see nor would a global disabling of all time
based checking for certificate validity periods.

I also haven't seen any RT issue matching this raised - perhaps it was
somewhat indirect. But if anyone from the TianoCore project is
interested in engaging on working through this issue then they should
open an RT item so it can be tracked.

Tim.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]