Miod Vallat [m...@online.fr] wrote: > > Now you have and example of how they are unwilling to work with you next > > time someone asks why not work with OpenSSL on fixing it. Pretty direct > > proof. > > The culture gap between OpenSSL and OpenBSD/LibreSSL is UNFIXABLE. > > We believe in peer review; they don't give a sh*t about it (as shown > less than a month ago by the way their #3317 bug was fixed, commiting a > different fix from the proposed one and introducing a stupid *and > obvious* bug in the process - which got fixed the next day after otto@ > mentioned it to the OpenSSL developers). > > If you can't trust people to apply one-liner fixes correctly, can you > trust them for anything serious?
I think this Networkworld article says it all... (and since when did interesting, critical analysis come from Networkworld!?) http://www.networkworld.com/article/2360229/microsoft-subnet/critical-flaw-in-encryption-has-been-in-openssl-code-for-over-15-years.html If you don't think that Robin Seggelmann is a paid stooge actively trying to sabotage OpenSSL (an idea rooted in paranoia?) then you may at least think he is careless, unable to use critical thought, and certainly doesn't need commit access to any source code repository. Am I late to the party? Or is it time to re-audit every single character of his code? In the mean time, let Dr. Stephen N. Strangelove continue his mad plan to support VMS and Windows 3.1. Let him play games with LibreSSL "competitors" by denying advance notice. Perhaps next time Otto won't bother to inform them about their new stupid, obvious flaws in return? It's low class for Dr. Strangelove and his team to behave like this, after the many repetitive attempts from @openbsd.org to bring OpenSSL into the new century. OpenSSH became the de-facto standard because it was the only serious free alternative for a long time. OpenSSL has always been free. So the culture difference is precisely what will drive people for, or away from OpenSSL. (People from the culture of supporting ancient software and broken standards are going to choose OpenSSL every time!)