> I was reading stuff in misc@ about OpenSSL broken things. I see people from > OpenBSD started LibreSSL project and they are forking OpenSSL and remove > the bad code. This is past, but I see more and more lesions are discovered. > It may be a stupid question, but having all these, isn't more efficient to > start LibreSSL from zero?
Impossible. The OpenSSL API was built up through accretion over almost 2 decades. It is fat, bloated, repetitive, and tricky. In general, application authors have chosen to use the first API's they spot which provide the functionality they need. As a result, almost all of the bloated API is potentially used in the greater ecosystem. It is quite simply impossible to reinvent this particular wheel. Any effort to reinvent it would be highly incompatible. Features and warts are too closely coupled. > I know OpenBSD is short on staff, but the effort to start from zero > code could be less than fix the old code, I think. Or could it be > that the OpenSSL code is not so broken? Can someone post here a > percent of "usable" code? Our team does not have the skill to rewrite this and be 100% compatible. We think we have enough sensibility for a different process: We will refine the codebase. First we will remove things noone uses. Then, we will clean up the issues as we see them, emphasizing care and awareness of what mainstream applications use. Finally, we would like to apply light pressure against the worst & least used APIs, to convince application's to move to safer APIs. Shrink the API exposure, simplify. But that won't happen today. Please be patient...
